Table of Contents
Due to a misconfiguration, developers could be tricked into retrieving malicious Amazon Machine Images (AMI) while creating EC2 instances.
Thousands of active AWS accounts are vulnerable to a cloud image name confusion attack that could allow attackers to execute codes within those accounts.
According to DataDog research, vulnerable patterns exist in the way multiple software projects retrieve Amazon Machine Image (AMIs) IDs to create Amazon elastic compute cloud (EC2) instances.
“The vulnerable pattern allows anyone that publishes an AMI with a specially crafted name to gain code execution within the vulnerable AWS account,” the researchers said in a blog post. “If executed at scale, this attack could be used to gain access to thousands of accounts.”
The whoAMI attack
Researchers have demonstrated that the attack vector “whoAMI” can impact many private and open-source code repositories. Over 10,000 AWS accounts are vulnerable to this attack, about 1% of the reported one million active AWS deployments.
The whoAMI attack is a name confusion exploit, a type of supply chain attack where misconfigured software is tricked into using a malicious resource. Unlike the dependency confusion attacks, which targets software dependency like pip packages, whoAMI involves a rogue virtual machine image impersonating a legitimate one.
An AMI is a pre-configured virtual machine template used to launch EC2 instances in AWS. It includes the OS, software, and configurations. Users can specify a known AMI ID or search for the latest public AMIs using the ec2.DescribeImgaes API to find region-specific options.
If the “owners” attribute is omitted when searching for an AMI, the researchers noted, AWS may return results that include public community AMIs from any account. Attackers can exploit this by publishing a malicious AMI with a matching name and newer timestamp, tricking automated infrastructure-as-Code (IaC) tools like Terraform into selecting a compromised image.
Victims are vulnerable only if they use the ec2.DescribeImages API with a name filter, omit the “owners” attribute, and select the most recent AMI, increasing the risk of deploying a compromised instance.
Amazon fixed the problem
Through the AWS Vulnerability Disclosure Program (VDP), researchers found that AWS’s own internal non-production systems were vulnerable, potentially allowing attackers to execute code within AWS infrastructure. The issue was disclosed and promptly fixed in September 2024.
A little later on December 1, 2024, AWS introduced Allowed AMIs, a feature that lets users define a trusted allow list for AMI selection, mitigating the whoAMI name confusion attack.
The blog post included a list of queries developers can use to identify risky patterns in their code, along with a link to the open-source tool, whoAMI-scanner, for detecting untrusted AMIs in customer environments.
