June 04, 2011
When using Amazon Machine Images (AMI’s), it is important to remember to use proper precautions to ensure that important credentials are not inadvertently left on AMIs when shared publicly. We’ve recently been made aware of a few situations in which customers created and publicly shared credentials unknowingly.
In cases where AWS has been made aware of customers who have inadvertently exposed AWS and third-party access credentials within a created and shared public AMI, AWS has contacted these customers, and encouraged them to make the associated AMI private and immediately change their exposed credentials. In cases where the affected customer could not be immediately reached, AWS has made the associated AMI private on behalf of the customer to prevent further exposure of their personal AWS and third-party access credentials.
In cases where AWS has been made aware of a public AMI that contains a pre-installed public SecureShell (SSH) key, which effectively grants the AMI publisher remote access to any running instances of that AMI, AWS has contacted the AMI publisher and required the AMI publisher to make the associated AMI private. In cases where the AMI publisher could not be immediately reached, or did not quickly comply with making the associated AMI private, AWS has made the associated AMI private in order to protect our customers. Additionally, all identified customers running instances of that affected AMI have been notified and encouraged to remove the offending pre-installed public SSH key, effectively blocking remote access by the AMI publisher. Identified customers running instances of the affected AMI have also been strongly encouraged to backup existing data and migrate to a newer AMI, if available.
We have received no reports that these vulnerabilities have been actively exploited. The purpose of this document is to remind users that it is extremely important to thoroughly search for and remove any important credentials from an AMI before making it publicly available. The purpose of this document is to remind users that it is extremely important to thoroughly search for and remove any important credentials from an AMI before making it publicly available. A tutorial on how to securely share and use public AMIs can be found here: http://aws.amazon.com/articles/0155828273219400
Further guidance on sharing AMIs safely can be found here: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?AESDG-chapter-sharingamis.html
Following these guidelines produces a better user experience, helps ensure user instances are secure, and can protect the AMI publisher.
Customers should report any security concerns associated with a public AMI to AWS Security, aws-security@amazon.com