New AWS AMI Name Confusion Attack Exposes Cloud Infrastructure to Remote Code Execution

Cybersecurity researchers have uncovered a critical vulnerability in AWS cloud infrastructure that allows attackers to publish malicious Amazon Machine Images (AMIs) and potentially gain remote code execution within vulnerable AWS accounts.

The vulnerability, dubbed the "whoAMI name confusion attack," exploits a fundamental flaw in how organizations search for AMIs using the ec2:DescribeImages API. By crafting a maliciously named AMI that matches specific search patterns, attackers can trick automated systems into selecting and deploying their malicious virtual machine image.

Researchers from Datadog Security Labs discovered that approximately 1% of organizations monitored were potentially affected by this attack method. The vulnerability stems from misconfigurations in AMI retrieval processes, particularly when users fail to specify trusted "owners" during image searches.

An attacker can publish a public AMI with a name resembling legitimate images, such as "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*". If infrastructure-as-code scripts or manual searches do not include proper owner filters, the malicious AMI could be automatically selected and deployed.

The attack requires three specific conditions to be successful: using a name filter, failing to specify owner parameters, and retrieving the most recently created image from the returned list. This approach essentially tricks systems into selecting an attacker-controlled AMI that appears legitimate.

AWS has responded to the vulnerability by introducing the "Allowed AMIs" feature in December 2024, which enables customers to create an allowlist of trusted AMI providers. This account-level guardrail helps prevent unauthorized AMIs from being deployed within an organization's cloud environment.

Mitigation strategies recommended by researchers include:

HashiCorp has also updated Terraform to provide warnings and eventual errors when AMI searches lack proper owner specifications, further helping developers prevent such misconfigurations.

The discovery underscores the critical importance of secure cloud configuration practices. As cloud infrastructure becomes increasingly complex, organizations must remain vigilant about potential vulnerabilities that could compromise their entire computing environment.

Researchers emphasized that while the attack method is sophisticated, it relies on relatively simple misconfigurations that can be easily addressed through careful implementation and ongoing security monitoring.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: