Ensure that EC2 instance's custom AMI is not publicly shared

Avoid publicly sharing AMIs to reduce the risk of exposing sensitive information.

Risk Level: Critical
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.IAM.106
Category: Compute


Instance where imageDetails.imageLocation regexMatch /^(?!amazon|aws-marketplace\/).+/ should not have imageDetails.isPublic


Note: The following instructions refer to the native 'Public' case, provided within the portal under 'AMI availability'. For further cases and instructions, please follow AWS documentation.

From Portal

  1. Go to 'EC2 Dashboard'
  2. In the left menu, under 'Images', select 'AMIs'
  3. Select the publicly shared AMI
  4. Under 'Actions', select 'Edit AMI permissions'
  5. Change 'AMI availability' to 'Private'
  6. Save

From TF
To remove the publicly shared AMI permissions, remove the relevant 'aws_ami_launch_permission' block:

resource "aws_ami_launch_permission" "ami_launch_permission_example" {
	image_id = AMI-ID
	group    = "all"

From Command Line
To remove the publicly shared AMI permissions, run:

aws ec2 modify-image-attribute --image-id AMI-ID --launch-permission "Remove=[{Group=all}]"


  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharing-amis.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_launch_permission
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-image-attribute.html

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS Security Risk Management
  • CloudGuard AWS Default Ruleset