Public AMI Publishing: Hardening and Clean-up Requirements
As a publisher of a public AMI, you are responsible for the initial security posture of the machine images that you distribute. You are free to configure your private AMIs in any way that meets your business needs and does not violate our Amazon Web Services Acceptable Use Policy. However, when an AMI is made public, it can be launched by customers who are not security experts, and who are not familiar with the history and details of the AMI. In order to protect our customers, certain minimum security standards must be met by all public AMIs.
This article expands on the following existing resources:
- The Sharing AMIs Safely section of the EC2 User Guide, which can be found at http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/AESDG-chapter-sharingamis.html.
- How To Share and Use Public AMIs in A Secure Manner, which is available at https://aws.amazon.com/articles/0155828273219400.
In addition to making sure that the software you publish is up to date with relevant security patches, you must also minimally perform the following set of clean-up and hardening tasks before publishing your AMI.
- Disable services and protocols that authenticate users in clear text (e.g. Telnet and FTP).
- Do not start unnecessary network services on launch. Only administrative services (SSH/RDP) and the services required for your application should be started.
- Securely delete all AWS credentials from disk and configuration files.
- Securely delete any third-party credentials from disk and configuration files.
- Securely delete any additional certificates or key material from the system.
- Ensure that software installed on your AMI does not have default internal accounts and passwords (e.g. database servers with a default admin username and password).
- Ensure that the system does not violate the Amazon Web Services Acceptable Use Policy. Examples include open SMTP relays or proxy servers.
- Configure sshd to allow only
public key authentication. This can be done by setting
PasswordAuthentication noin sshd_config.
- Generate a unique SSH host key on instance creation. If you are using cloud-init in your AMI, it can handle this for you automatically.
- Remove and disable passwords for all user accounts so
that passwords cannot be used to log in and user accounts do not have a
default password. This can be done by running
passwd -l <USERNAME>for each account.
- Securely delete all user SSH public and private key pairs.
- Securely delete the shell history and system log files that contain sensitive data.
- Ensure that all enabled user accounts have new randomly generated passwords on instance creation. The EC2 Config Service can be set to do this for the Administrator account on the next boot, but you must explicitly enable this before bundling the image.
- Ensure that the guest account is disabled.
- Clear the Windows event log.
- Do not join the instance to a Windows domain.
- Do not enable any file share points that are accessible by unauthenticated users. It is recommended to completely disable file shares.
The preceding lists are not intended to be comprehensive lists of hardening tasks for published AMIs and AWS will add to the lists over time, so please reference this document before publishing. If an AMI that you have published is discovered to be in violation of one of the above practices, or poses a significant risk to a customer's running of the AMI, then AWS may take measures to remove the AMI from the public catalog and notify you and those running the AMI of the finding(s).
To securely delete files, use a tool that writes over the disk space that is used by the files. Use of such a tool greatly reduces the ability of a third party to recover the deleted files. For Linux operating systems, utilities like shred or srm can be used. For Windows operating systems, you can use a utility like Sysinternals SDelete or Eraser.
Security Concerns with a Public AMI
If you should discover a public AMI that you feel presents a security risk to any member of the AWS user community, for whatever reason, please e-mail AWS Security directly at email@example.com. We take security very seriously, and investigate all reported issues. If you wish to protect your email, you may use PGP; our key can be found at https://aws.amazon.com/security/aws-pgp-public-key/