Are Your EC2 Instances Running Malicious AMIs?

17 February 2025
Are Your EC2 Instances Running Malicious AMIs?

There is another AWS specific attack going on this time targeting Terraform for referencing AMIs(Amazon Machine Images) which is basically the snapshot of the OS each EC2 Instance uses when it boots up.

If you reference an AMI using the Terraform aws_ami Data Source then you will want to pay close attention.

Take a look at those docs, specifically the first filter.

 filter {
   name   = "name"
   values = ["myami-*"]
 }

Notice anything there? Like that lovely * wildcard? The lack of specificity could get you in trouble. 

Here is how it works:

AWS allows anyone to make their AMIs publicly available for use in EC2 which is a great way for good people to contribute and maintain various tools for running software on ECS.

Unfortunately, it also allows nefarious parties to release their own images with bad stuff in them. 

Let’s say I release and maintain an AMI which is called mattsvpn and I version it like this mattsvpn-1.1.1 etc.

Now let's say you reference this AMI with some Terraform code that looks something like this:

data "aws_ami" "my_ami" {
 most_recent      = true
 filter {
   name   = "name"
   values = ["mattsvpn-*"]
 }
}

Notice the most_recent flag is set to true so you can get the latest updates when spinning up new instances.

Now let's say some bad guy creates their own image packed with malicious code and register that AMI at mattsvpn-xyz. The next time you update your tf it will use that wildcard to pull the latest image registered starting with mattsvpn- and it will find the bad guys AMI.

Now until the next time I push up an AMI you will be running the bad guys code on your EC2 instances.

How to combat this:

First:  Be really careful with your uses of wildcards when defining anything from permissions to references to AMI images.

Second: Specify an owners filter to only pull from AMI owners you trust.

Here is a link to the Short video for this post.

Question For You:

Do you like hearing about these AWS security things? 

It feels like I have been on an AWS security streak lately but I am not intentionally doing that. It's all just AWS security stuff that is popping off now.

Let me know if you want more security stuff or if I should mix it up a bit more.