Publication Date: 2024/06/11 10:30 AM PDT
AWS is aware of an issue with the Amazon Elastic Compute Cloud (Amazon EC2) VM Import Export Service (VMIE). On April 12, 2024, we addressed this issue and can confirm new Windows OS imports are not affected.
When using the EC2 VMIE service to import a VM using Windows OS, customers can optionally use their own Sysprep answer file. Before April 12, 2024, the EC2 VMIE service had an issue where, if a customer imported a VM using Windows OS to use as an AMI or instance, then an identical backup copy of the answer file would be created without sensitive data being removed if included in the file. This backup file is only accessible to on-instance Windows users who had permission to access the customer-provided answer file.
For customers who used the EC2 VMIE service in this manner, we recommend checking for a file name ending with .vmimport in the following locations, which are associated with Sysprep:
- C:\
- C:\Windows\Panther\
- C:\Windows\Panther\Unattend\
- C:\Windows\system32\
- C:\Windows\system32\sysprep\Panther\Unattend\
Once you identify the .vmimport file, restrict access to necessary user accounts or remove the backup file completely on the imported EC2 instance(s) or instance(s) launched from an affected AMI. Completing either of these actions will not affect the functionality of the EC2 instance. Because new EC2 instances launched using an affected AMI will be affected by this issue, we recommend customers delete the affected AMI and create a new AMI using the EC2 VM Import Export (VMIE) Service to re-import the virtual machine, or use the EC2 API/Console to create a new AMI from the EC2 instance where the fix has been applied.
No action is required for users who had scoped down access to the Sysprep answer file before using EC2 VMIE Service to import the Windows OS or have used EC2 VMIE Service after April 12, 2024, to import Windows OS with/without Sysprep answer file in any AWS region.
We would like to thank Immersive Labs for responsibly disclosing this issue to AWS.
Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.