Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Blocklisted AMIs

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-046

Ensure that all Amazon EC2 instances provisioned within your AWS cloud account are launched from approved AMIs-only in order to enforce security at the application stack level. Before running this rule by the Trend Cloud One™ – Conformity engine, the list of unapproved AMIs must be configured in the rule settings, in your Conformity account.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Removing unwanted or compromised AMIs from your AWS cloud account enables you to prevent specific security issues from reaching into your application stack and enforce the Amazon EC2 provisioning process to use only approved AMIs.

Audit

To determine if there are Amazon EC2 instances launched from unapproved AMIs within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Blocklisted AMIs conformity rule settings, and identify the ID(s) of the AMI(s) banned by your organization.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

04 In the left navigation panel, under Instances, choose Instances.

05 Select the Amazon EC2 instance that you want to examine.

06 Choose the Details tab from the console split panel to access the instance configuration information.

07 In the Instance details section, check the AMI ID attribute value to identify the ID of the image used to launch the selected instance. Cross-reference the AMI ID value with each ID defined in the conformity rule configuration, identified in step 1. If the AMI ID value is marked as unapproved in the conformity rule settings, the selected Amazon EC2 instance was launched from a compromised image that may have security issues or potential vulnerabilities.

08 Repeat steps no. 5 – 7 for each Amazon EC2 instance available within the current AWS cloud region.

09 Change the AWS cloud region from the top navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Blocklisted AMIs conformity rule settings, and identify the ID(s) of the AMI(s) banned by your organization.

02 Run describe-instances command (OSX/Linux/UNIX) with custom output filters to list the IDs of the Amazon EC2 instances provisioned in the selected AWS cloud region: 

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested EC2 instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

04 Run describe-instances command (OSX/Linux/UNIX) with the ID of the Amazon EC2 instance that you want to examine as the identifier and custom filtering to describe the ID of the image used to create the selected EC2 instance: 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0abcdabcdabcdabcd
	--query 'Reservations[*].Instances[*].ImageId[]'

05 The command output should return the requested image ID: 

[
	"ami-0abcd1234abcd1234"
]

Cross-reference the AMI ID returned by the describe-instances command output with each ID defined in the conformity rule configuration, identified in step 1. If the image ID is marked as unapproved in the conformity rule settings, the selected Amazon EC2 instance was launched from a compromised AMI that may have security issues or potential vulnerabilities.

06 Repeat steps no. 4 and 5 for each Amazon EC2 instance provisioned in the selected AWS cloud region.

07 Change the AWS region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To redeploy Amazon EC2 instances built with unapproved Amazon Machine Images (AMIs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Create EC2 instance from approved AMI",
	"Parameters":{
		"InstanceKeyName":{
			"Type":"AWS::EC2::KeyPair::KeyName",
			"Description":"The SSH key used to access the instance."
		},
		"InstanceSecurityGroup":{
			"Type":"AWS::EC2::SecurityGroup::Id",
			"Description":"The ID of the security group to use."
		}
	},
	"Resources":{
		"EncryptedEC2Instance":{
			"Type":"AWS::EC2::Instance",
			"Properties":{
			"ImageId":"ami-0abcd1234abcd1234",
			"InstanceType":"t3.micro",
			"KeyName":{
				"Ref":"InstanceKeyName"
			},
			"SubnetId":"subnet-abcd1234",
			"SecurityGroupIds":[
				{
					"Ref":"InstanceSecurityGroup"
				}
			],
			"BlockDeviceMappings":[
				{
					"DeviceName":"/dev/xvda",
					"Ebs":{
						"VolumeSize":"150",
						"VolumeType":"gp2"
					}
				}
			]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Create EC2 instance from approved AMI
	Parameters:
		InstanceKeyName:
		Type: AWS::EC2::KeyPair::KeyName
		Description: The SSH key used to access the instance.
		InstanceSecurityGroup:
		Type: AWS::EC2::SecurityGroup::Id
		Description: The ID of the security group to use.
	Resources:
		EncryptedEC2Instance:
		Type: AWS::EC2::Instance
		Properties:
			ImageId: ami-0abcd1234abcd1234
			InstanceType: t3.micro
			KeyName:
			Ref: InstanceKeyName
			SubnetId: subnet-abcd1234
			SecurityGroupIds:
			- Ref: InstanceSecurityGroup
			BlockDeviceMappings:
			- DeviceName: "/dev/xvda"
			Ebs:
				VolumeSize: '150'
				VolumeType: gp2

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

# Create EC2 instance from approved AMI
resource "aws_instance" "compliant-ec2-instance" {

	ami = "ami-0abcd1234abcd1234"
	instance_type = "t3.micro"
	key_name = "ssh-key"
	subnet_id = "subnet-abcd1234"
	vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]

	ebs_block_device {
		device_name = "/dev/xvda"
		volume_size = 150
		volume_type = "gp2"
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, select Instances.

04 Select the Amazon EC2 instance that you want to re-create and collect all the relevant configuration information.

05 Choose Launch instances and perform the following actions to launch your new Amazon EC2 instance:

  1. For Name and tags, provide a name tag for your instance in the Name box. (Optional) Choose Add additional tags to apply user-defined tags to your new EC2 instance. You can track compute cost and other criteria by tagging your instance.
  2. For Application and OS Images (Amazon Machine Image), choose the Amazon Machine Image (AMI) required to launch your new Amazon EC2 instance. You can select an AMI provided by AWS, AWS user community, AWS Marketplace, or you can choose your own AMI. To create your own approved (golden) AMI, see Approved/Golden AMIs.
  3. For Instance type, select the required instance type from the Instance type dropdown list (must match the hardware configuration of the source instance).
  4. For Key pair (login), you can select the same key pair as the source instance from the Key pair name - required dropdown list or choose Create new key pair to create a new key pair for your instance.
  5. For Network settings, choose Select existing security group under Firewall (security groups), and select the appropriate security group(s) from the Common security groups dropdown list (must match the security group configuration of the source instance). If you need to change the VPC network settings, choose Edit, and make sure the network settings align with the source instance settings.
  6. For Configure storage, configure the storage device settings (must match the storage configuration of the source instance).
  7. For Advanced details, configure the advanced settings supported by your EC2 instance (must match the configuration of the source instance).
  8. For Summary, review the instance details, and choose Launch instance to deploy your new, compliant Amazon EC2 instance.
  9. Choose View all instances to view your new EC2 instance. Once the Instance State is set to Running, your new instance is ready to use.

06 Once your new Amazon EC2 instance is running, install and configure the necessary software to run your applications, then transfer your application files from the source instance to the new instance.

07 (Optional) To stop incurring any charges for your non-compliant (source) instance, you must terminate it. To shut down the instance, perform the following actions:

  1. In the left navigation panel, under Instances, choose Instances.
  2. Select the Amazon EC2 instance that you want to terminate.
  3. Choose Instance state and select Terminate (delete) instance.
  4. In the Terminate (delete) instance confirmation box, review the instance details, then choose Terminate (delete) to terminate the selected EC2 instance.

08 Repeat steps no. 5 – 7 for each Amazon EC2 instance that you want to redeploy, available within the current AWS cloud region.

09 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) to list the configuration information for the Amazon EC2 instance that you want to re-create (i.e., source instance): 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd
	--query 'Reservations[*].Instances[]'

02 The command output should return the configuration information necessary for re-creating your Amazon EC2 instance: 

[
	{
		"Architecture": "x86_64",
		"BlockDeviceMappings": [
			{
				"DeviceName": "/dev/xvda",
				"Ebs": {
					"AttachTime": "2025-07-01T11:00:32+00:00",
					"DeleteOnTermination": true,
					"Status": "attached",
					"VolumeId": "vol-0abcd1234abcd1234"
				}
			}
		],
		"EbsOptimized": false,
		"EnaSupport": true,
		"Hypervisor": "xen",
		"NetworkInterfaces": [
			{
				"Association": {
					"IpOwnerId": "amazon",
					"PublicDnsName": "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com",
					"PublicIp": "xxx.xxx.xxx.xxx"
				},
				"Attachment": {
					"AttachTime": "2025-07-01T11:00:31+00:00",
					"AttachmentId": "eni-attach-01234abcd1234abcd",
					"DeleteOnTermination": true,
					"DeviceIndex": 0,
					"Status": "attached",
					"NetworkCardIndex": 0
				},
				"Description": "",
				"Groups": [
					{
						"GroupId": "sg-0abcd1234abcd1234",
						"GroupName": "cc-project5-security-group"
					}
				],
				"Ipv6Addresses": [],
				"NetworkInterfaceId": "eni-01234abcd1234abcd",
				"OwnerId": "123456789012",
				"PrivateDnsName": "ip-172-10-20-30.ec2.internal",
				"PrivateIpAddress": "172.10.20.30",
				"PrivateIpAddresses": [
					{
						"Association": {
							"IpOwnerId": "amazon",
							"PublicDnsName": "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com",
							"PublicIp": "xxx.xxx.xxx.xxx"
						},
						"Primary": true,
						"PrivateDnsName": "ip-172-10-20-30.ec2.internal",
						"PrivateIpAddress": "172.10.20.30"
					}
				],
				"SourceDestCheck": true,
				"Status": "in-use",
				"SubnetId": "subnet-01234abcd1234abcd",
				"VpcId": "vpc-0abcd1234abcd1234",
				"InterfaceType": "interface",
				"Operator": {
					"Managed": false
				}
			}
		],
		"RootDeviceName": "/dev/xvda",
		"RootDeviceType": "ebs",
		"SecurityGroups": [
			{
				"GroupId": "sg-0abcd1234abcd1234",
				"GroupName": "cc-project5-security-group"
			}
		],
		"SourceDestCheck": true,
		"Tags": [
			{
				"Key": "Name",
				"Value": "cc-project5-prod-instance"
			}
		],
		"VirtualizationType": "hvm",
		"CpuOptions": {
			"CoreCount": 1,
			"ThreadsPerCore": 1
		},
		"CapacityReservationSpecification": {
			"CapacityReservationPreference": "open"
		},
		"HibernationOptions": {
			"Configured": false
		},
		"MetadataOptions": {
			"State": "applied",
			"HttpTokens": "required",
			"HttpPutResponseHopLimit": 2,
			"HttpEndpoint": "enabled",
			"HttpProtocolIpv6": "disabled",
			"InstanceMetadataTags": "disabled"
		},
		"EnclaveOptions": {
			"Enabled": false
		},
		"BootMode": "uefi-preferred",
		"PlatformDetails": "Linux/UNIX",
		"UsageOperation": "RunInstances",
		"UsageOperationUpdateTime": "2025-07-01T11:00:31+00:00",
		"PrivateDnsNameOptions": {
			"HostnameType": "ip-name",
			"EnableResourceNameDnsARecord": true,
			"EnableResourceNameDnsAAAARecord": false
		},
		"MaintenanceOptions": {
			"AutoRecovery": "default",
			"RebootMigration": "default"
		},
		"CurrentInstanceBootMode": "legacy-bios",
		"NetworkPerformanceOptions": {
			"BandwidthWeighting": "default"
		},
		"Operator": {
			"Managed": false
		},
		"InstanceId": "i-01234abcd1234abcd",
		"ImageId": "ami-0abcd1234abcd1234",
		"State": {
			"Code": 16,
			"Name": "running"
		},
		"PrivateDnsName": "ip-172-10-20-30.ec2.internal",
		"PublicDnsName": "ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com",
		"StateTransitionReason": "",
		"KeyName": "cc-project5-ssh-key",
		"AmiLaunchIndex": 0,
		"ProductCodes": [],
		"InstanceType": "t2.micro",
		"LaunchTime": "2025-07-01T10:01:31+00:00",
		"Placement": {
			"GroupName": "",
			"Tenancy": "default",
			"AvailabilityZone": "us-east-1a"
		},
		"Monitoring": {
			"State": "disabled"
		},
		"SubnetId": "subnet-01234abcd1234abcd",
		"VpcId": "vpc-0abcd1234abcd1234",
		"PrivateIpAddress": "172.10.20.30",
		"PublicIpAddress": "xxx.xxx.xxx.xxx"
	}
]

03 Perform run-instances command (OSX/Linux/UNIX) to launch a new Amazon EC2 instance from the AMI created in the previous steps. Use the information returned in step no. 2 to configure your new EC2 instance. For --image-id, specify the Amazon Machine Image (AMI) required to launch your new Amazon EC2 instance. You can select an AMI provided by AWS, AWS user community, AWS Marketplace, or you can choose your own AMI. To create your own approved (golden) AMI, see Approved/Golden AMIs: 

aws ec2 run-instances
	--region us-east-1
	--image-id ami-0abcdabcdabcdabcd
	--count 1
	--instance-type t2.micro
	--key-name cc-project5-ssh-key
	--security-group-ids sg-0abcd1234abcd1234
	--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=cc-project5-prod-instance}]'
	--query 'Instances[]'

04 The command output should return the configuration information for the newly created EC2 instance: 

[
	{
		"Architecture": "x86_64",
		"BlockDeviceMappings": [],
		"EbsOptimized": false,
		"EnaSupport": true,
		"Hypervisor": "xen",
		"NetworkInterfaces": [
			{
				"Attachment": {
					"AttachTime": "2025-07-01T11:50:48+00:00",
					"AttachmentId": "eni-attach-01234abcd1234abcd",
					"DeleteOnTermination": true,
					"DeviceIndex": 0,
					"Status": "attaching",
					"NetworkCardIndex": 0
				},
				"Description": "",
				"Groups": [
					{
						"GroupId": "sg-0abcd1234abcd1234",
						"GroupName": "cc-project5-security-group"
					}
				],
				"Ipv6Addresses": [],
				"NetworkInterfaceId": "eni-01234abcd1234abcd",
				"OwnerId": "123456789012",
				"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
				"PrivateIpAddress": "172.20.30.40",
				"PrivateIpAddresses": [
					{
						"Primary": true,
						"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
						"PrivateIpAddress": "172.20.30.40"
					}
				],
				"SourceDestCheck": true,
				"Status": "in-use",
				"SubnetId": "subnet-01234abcd1234abcd",
				"VpcId": "vpc-0abcd1234abcd1234",
				"InterfaceType": "interface",
				"Operator": {
					"Managed": false
				}
			}
		],
		"RootDeviceName": "/dev/xvda",
		"RootDeviceType": "ebs",
		"SecurityGroups": [
			{
				"GroupId": "sg-0abcd1234abcd1234",
				"GroupName": "cc-project5-security-group"
			}
		],
		"SourceDestCheck": true,
		"StateReason": {
			"Code": "pending",
			"Message": "pending"
		},
		"Tags": [
			{
				"Key": "Name",
				"Value": "cc-project5-prod-instance"
			}
		],
		"VirtualizationType": "hvm",
		"CpuOptions": {
			"CoreCount": 1,
			"ThreadsPerCore": 1
		},
		"CapacityReservationSpecification": {
			"CapacityReservationPreference": "open"
		},
		"MetadataOptions": {
			"State": "pending",
			"HttpTokens": "required",
			"HttpPutResponseHopLimit": 2,
			"HttpEndpoint": "enabled",
			"HttpProtocolIpv6": "disabled",
			"InstanceMetadataTags": "disabled"
		},
		"EnclaveOptions": {
			"Enabled": false
		},
		"BootMode": "uefi-preferred",
		"PrivateDnsNameOptions": {
			"HostnameType": "ip-name",
			"EnableResourceNameDnsARecord": false,
			"EnableResourceNameDnsAAAARecord": false
		},
		"MaintenanceOptions": {
			"AutoRecovery": "default",
			"RebootMigration": "default"
		},
		"CurrentInstanceBootMode": "legacy-bios",
		"Operator": {
			"Managed": false
		},
		"InstanceId": "i-0abcd1234abcd1234",
		"ImageId": "ami-0abcdabcdabcdabcd",
		"State": {
			"Code": 0,
			"Name": "pending"
		},
		"PrivateDnsName": "ip-172-20-30-40.ec2.internal",
		"PublicDnsName": "",
		"StateTransitionReason": "",
		"KeyName": "cc-project5-ssh-key",
		"AmiLaunchIndex": 0,
		"ProductCodes": [],
		"InstanceType": "t2.micro",
		"LaunchTime": "2025-07-01T11:50:48+00:00",
		"Placement": {
			"GroupName": "",
			"Tenancy": "default",
			"AvailabilityZone": "us-east-1a"
		},
		"Monitoring": {
			"State": "disabled"
		},
		"SubnetId": "subnet-01234abcd1234abcd",
		"VpcId": "vpc-0abcd1234abcd1234",
		"PrivateIpAddress": "172.20.30.40"
	}
]

05 (Optional) You can terminate the source (non-compliant) EC2 instance in order to stop incurring charges for it. To shut down the instance, run terminate-instances command (OSX/Linux/UNIX) with the source instance ID as the identifier parameter: 

aws ec2 terminate-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd

06 The output should return the terminate-instances command request information: 

{
	"TerminatingInstances": [
		{
			"InstanceId": "i-01234abcd1234abcd",
			"CurrentState": {
				"Code": 32,
				"Name": "shutting-down"
			},
			"PreviousState": {
				"Code": 16,
				"Name": "running"
			}
		}
	]
}

07 Repeat steps no. 1 – 7 for each Amazon EC2 instance that you want to re-create, available in the selected AWS cloud region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 4, 2016

Related EC2 rules