Listen to this Post
Researchers have uncovered a name confusion attack named “whoAMI” that allows hackers to execute code on Amazon EC2 instances by exploiting how software projects retrieve AMI IDs. AWS has patched the vulnerability, but users are advised to specify AMI owners when using APIs for added security.
Key takeaways:
🔍 Attack Discovery: DataDog researchers found the “whoAMI” attack, which involves publishing malicious AMIs with specific names.
🛡️ Mitigation: AWS recommends always specifying AMI owners in API calls and using the ‘Allowed AMIs’ feature.
⚠️ Vulnerability Scope: The flaw was present in AWS’s internal systems but not exploited outside controlled tests.
🚫 No Data Breach: AWS confirmed no customer data was compromised due to this vulnerability.
📅 Patch History: The issue was fixed on September 19, 2024, with additional security controls introduced on December 1, 2024.
🔗 Read more about the whoAMI attack
Practice Verified Codes and Commands:
1. Specify AMI Owner in API Calls:
aws ec2 describe-images --owners self --filters "Name=name,Values=my-ami"
2. List Allowed AMIs:
aws ec2 describe-images --owners amazon --filters "Name=name,Values=amzn2-ami-hvm-*"
3. Check AMI Permissions:
aws ec2 describe-image-attribute --image-id ami-0abcdef1234567890 --attribute launchPermission
4. Update EC2 Instance with Latest AMI:
aws ec2 run-instances --image-id ami-0abcdef1234567890 --instance-type t2.micro
5. Verify AMI Ownership:
aws ec2 describe-images --image-ids ami-0abcdef1234567890 --query 'Images[*].OwnerId'
What Undercode Say:
The “whoAMI” attack highlights the importance of securing cloud environments, particularly in how AMIs are managed and retrieved. By exploiting name confusion, attackers can execute malicious code on EC2 instances, posing significant risks to cloud infrastructure. AWS has addressed this vulnerability, but users must adopt best practices to mitigate such threats.
To enhance security, always specify AMI owners in API calls and utilize the ‘Allowed AMIs’ feature. Regularly update your instances with the latest AMIs and verify AMI ownership to prevent unauthorized access. Additionally, monitor your cloud environment for any unusual activity using AWS CloudTrail and AWS Config.
For further reading on securing AWS EC2 instances, refer to the AWS Security Best Practices and AWS Well-Architected Framework.
In conclusion, the “whoAMI” attack serves as a reminder of the evolving nature of cyber threats in cloud environments. By implementing robust security measures and staying informed about the latest vulnerabilities, businesses and individuals can better protect their cloud infrastructure from potential attacks.
References:
Hackers Feeds, Undercode AI
