Preventing Unwanted Third-Party Access to AMIs
Question
You have a project that needs an AMI to pre-install several applications.
You search for the AWS Marketplace and find a public AMI that can meet your needs.
However, you are unsure if it is secure to use the AMI.
For example, it may contain pre-installed public SSH keys that may allow unwanted third-party access.
Which actions would you perform to prevent this?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - B.
About how to share and use public AMIs in a secure manner, check the reference in.
https://aws.amazon.com/articles/how-to-share-and-use-public-amis-in-a-secure-manner/.Option A is incorrect: Because the root user should be used to locate all authorized_keys files.
Option B is CORRECT: The below command is an example to locate all authorized_keys files in the disk: find / -name "authorized_keys" -print -exec cat {} \;
Option C is incorrect: Because public SSH keys are not guaranteed to be in the /root/.ssh/authorized_keys file.
Option D is incorrect: Because SSH public keys are not within the PEM files.
PEM files contain SSH private keys instead of public keys.
In this question, we should search for the public keys in authorized_keys files.
Out of the four options provided, none of them are completely correct or advisable for ensuring the security of the AMI. Therefore, let's discuss the right approach to verifying and securing a public AMI before using it for your project.
Firstly, it's important to note that using a public AMI can be risky, as it may contain security vulnerabilities or pre-installed software that you don't need or want. Hence, before using a public AMI, it is recommended to follow these steps:
Check the AWS Marketplace for the reputation of the AMI's publisher. Look for reviews and ratings, and ensure that the AMI is from a reputable source.
Check the AMI's product description, documentation, and the software installed on it to make sure that it meets your specific needs.
Verify the security posture of the AMI by checking if it is configured as per AWS best practices. AWS provides a service called AWS Trusted Advisor, which can help you to perform this check.
Run a vulnerability scanner on the AMI to identify any known security issues.
Test the AMI in a controlled environment before using it in production to ensure that it functions as expected and does not contain any security vulnerabilities.
Assuming you have followed the above steps and determined that the AMI is suitable for your project, here are the actions that you should perform to secure the AMI:
After launching the instance from the AMI, log in as the ec2-user.
Search for all the authorized_keys files on the disk, including the ec2-user's and root's.
Check each authorized_keys file for any public SSH keys that you don't recognize.
If you find any unauthorized public SSH keys, remove them from the authorized_keys file.
Repeat this process for each authorized_keys file on the disk.
Note that the correct option (B) from the given choices is only partially correct because it only mentions locating and removing unauthorized public SSH keys. However, it doesn't mention the importance of performing this action on all authorized_keys files, nor does it specify logging in as the ec2-user instead of root. The other options are incorrect because they suggest searching for private SSH keys or logging in as the root user, which is not advisable.
In summary, before using a public AMI, it's important to verify its reputation, security posture, and functionality. Once you've launched an instance from the AMI, log in as the ec2-user and search for and remove any unauthorized public SSH keys from all authorized_keys files on the disk.
