Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Allowed AMIs Feature in Use

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Allowed AMIs feature is utilized in Amazon EC2 in order to control the discovery and use of public AMIs or AMIs shared with your AWS account. This feature guarantees that only authorized Amazon Machine Images (AMIs) are used to launch EC2 instances, enhancing security, compliance, and control over the AMIs used within your AWS cloud environment.

This rule can help you work with the AWS Well-Architected Framework.

Security

There are three key benefits of using the Allowed AMIs feature in your AWS account. Firstly, it enhances compliance and security by enabling users to discover and utilize only those AMIs that meet established criteria. This effectively mitigates the risk of utilizing non-approved or non-compliant Amazon Machine Images (AMIs). Secondly, the feature facilitates efficient management. By restricting the number of allowed AMIs, organizations can more easily and effectively oversee the remaining images. Lastly, it enables centralized account-level implementation. Users can configure the settings of the Allowed AMIs feature either directly within their AWS cloud account or through a declarative policy (i.e., Allowed AMIs criteria). This centralized approach ensures efficient management of AMI usage throughout the entire AWS account.

Audit

To determine if the Allowed AMIs feature is utilized to control the discovery and use of AMIs within your AWS account, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

  3. In the left navigation panel, choose Dashboard to access the Amazon EC2 main dashboard.

  4. In the Account attributes section, under Settings, choose Allowed AMIs.

  5. In the Allowed AMIs configuration section, check the Allowed AMIs settings status. If the Allowed AMIs settings status is set to Disabled, the Allowed AMIs feature is not being used to control the discovery and utilization of Amazon Machine Images (AMIs) within the current AWS region.

  6. Change the AWS cloud region from the console navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

  1. Run get-allowed-images-settings command (OSX/Linux/UNIX) with custom output filters to get the current state of the Allowed AMIs feature in the specified AWS cloud region:

    aws ec2 get-allowed-images-settings
	--region us-east-1
	--query 'State'

  2. The command output should return the state (status) of the Allowed AMIs feature in the selected region:

    "disabled"

    If the get-allowed-images-settings command output returns "disabled", no restrictions are placed on AMI discoverability or usage in the specified region. Therefore, the Allowed AMIs feature is not being used to control the discovery and utilization of Amazon Machine Images (AMIs) in the selected AWS region.

  3. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To ensure that Amazon EC2 instances can only be launched using allowed, approved AMIs, enable and configure the Allowed AMIs feature by performing the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

  3. In the left navigation panel, choose Dashboard to access the Amazon EC2 main dashboard.

  4. In the Account attributes section, under Settings, choose Allowed AMIs.

  5. In the Allowed AMIs configuration section, choose Manage, and perform the following actions:

    1. Set Allowed AMIs settings to Audit mode. Audit mode enables you to verify which Amazon Machine Images (AMIs) would be affected by your AMI criteria without actually restricting access, providing a risk-free evaluation period. With Audit mode, you can check for impact on expected business processes.
    2. In the AMI criteria text box, configure the Allowed AMIs criteria so the approved AMIs align with your organization's security policies, compliance requirements, and operational needs, then choose Update to apply the changes. The AMI criteria is specified in JSON format. Currently, the only supported criteria is represented by the AMI providers. Valid values are: AWS aliases, AWS account IDs, and none (only your AMIs are allowed). For more details, check the AWS documentation on Allowed AMIs criteria. As an example, the following AMI criteria allows only AMIs created by AWS, AMIs created by verified providers in the AWS Marketplace, and AMIs created by an authorized AWS account identified by "123456789012": 
      	{
		"ImageCriteria": [
			{
				"ImageProviders": [
					"amazon",
					"aws-marketplace",
					"123456789012"
				]
			}
		]
	}
    3. Once you have confirmed that the AMI criteria specified in the previous step will not negatively impact expected business processes, set Allowed AMIs settings to Enabled to enable the Allowed AMIs feature in the current AWS region. Choose Update to apply the changes.

  6. Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

  1. Run enable-allowed-images-settings command (OSX/Linux/UNIX) to enable the audit mode in the specified AWS region. Audit mode allows you to verify which Amazon Machine Images (AMIs) would be affected by your AMI criteria without actually restricting access, providing a risk-free evaluation period. This allows you to check for impact on expected business processes:

    aws ec2 enable-allowed-images-settings
	--region us-east-1
	--allowed-images-settings-state audit-mode

  2. The command output should return the current state of the Allowed AMIs feature (i.e., "audit-mode"):

    {
	"AllowedImagesSettingsState": "audit-mode"
}

  3. To align with your organization's security policies, compliance requirements, and operational needs, specify the criteria that automatically filter and determine which Amazon Machine Images (AMIs) can be discovered and used in the selected AWS region. The AMI criteria is specified in JSON format. Currently, the only supported criteria is represented by the AMI providers. Valid values are: AWS aliases, AWS account IDs, and none (only your AMIs are allowed). For more details, check the AWS documentation on Allowed AMIs criteria. As an example, the following AMI criteria allows only AMIs created by AWS, AMIs created by verified providers in the AWS Marketplace, and AMIs created by an authorized AWS account identified by "123456789012". Save your AMI criteria to JSON configuration file named cc-image-criteria.json:

    {
	"ImageCriteria": [
		{
			"ImageProviders": [
				"amazon",
				"aws-marketplace",
				"123456789012"
			]
		}
	]
}

  4. Run replace-image-criteria-in-allowed-images-settings command (OSX/Linux/UNIX) to apply the AMI criteria defined in the previous step (i.e., cc-image-criteria.json configuration file):

    aws ec2 replace-image-criteria-in-allowed-images-settings
	--region us-east-1
	--cli-input-json file://cc-image-criteria.json

  5. The command output should return **true** if the request succeeds:

    {
	"ReturnValue": true
}

  6. Run describe-instance-image-metadata command (OSX/Linux/UNIX) to identify any Amazon EC2 instances that were launched with AMIs that don't meet your AMI criteria. This information can inform your decision on whether to update your EC2 launch configurations or CloudFormation templates to utilize approved, compliant AMIs or to modify your criteria to permit the use of these AMIs:

    aws ec2 describe-instance-image-metadata
	--region us-east-1
	--query 'InstanceImageMetadata'

  7. The command output should return the requested EC2 instance metadata:

    [
	{
		"InstanceId": "i-0abcd1234abcd1234",
		"InstanceType": "t3.large",
		"LaunchTime": "2025-02-00T12:46:03+00:00",
		"AvailabilityZone": "us-east-1a",
		"ZoneId": "use1-az2",
		"State": {
			"Code": 16,
			"Name": "running"
		},
		"OwnerId": "123456789012",
		"ImageMetadata": {
			"ImageId": "ami-01234abcd1234abcd",
			"Name": "al2023-ami-2023.6.20250211.0-kernel-6.1-x86_64",
			"OwnerId": "137112412989",
			"State": "available",
			"ImageOwnerAlias": "amazon",
			"ImageAllowed": true,
			"IsPublic": true
		}
	},

	...

	{
		"InstanceId": "i-01234abcd1234abcd",
		"InstanceType": "t3.xlarge",
		"LaunchTime": "2025-02-00T12:46:42+00:00",
		"AvailabilityZone": "us-east-1b",
		"ZoneId": "use1-az2",
		"State": {
			"Code": 16,
			"Name": "running"
		},
		"OwnerId": "123456789012",
		"ImageMetadata": {
			"ImageId": "ami-0abcd1234abcd1234",
			"Name": "ubuntu-pro-server/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-pro-server-20250115",
			"OwnerId": "099720109477",
			"State": "available",
			"ImageOwnerAlias": "amazon",
			"ImageAllowed": true,
			"IsPublic": true
		}
	}
]

  8. Once you have confirmed that the AMI criteria specified in the cc-image-criteria.json configuration file will not negatively impact expected business processes, run the enable-allowed-images-settings command (OSX/Linux/UNIX) to enable the Allowed AMIs feature in the selected AWS region:

    aws ec2 enable-allowed-images-settings
	--region us-east-1
	--allowed-images-settings-state enabled

  9. The command output should return the current state of the Allowed AMIs feature (i.e., "enabled"):

    {
	"AllowedImagesSettingsState": "enabled"
}

  10. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Feb 18, 2025

Related EC2 rules