If the “house owners” attribute is omitted when looking for an AMI, the researchers famous, AWS could return outcomes that embody public neighborhood AMIs from any account. Attackers can exploit this by publishing a malicious AMI with an identical identify and newer timestamp, tricking automated infrastructure-as-Code (IaC) instruments like Terraform into choosing a compromised picture.
Victims are susceptible provided that they use the ec2.DescribeImages API with a reputation filter, omit the “house owners” attribute, and choose the newest AMI, growing the chance of deploying a compromised occasion.
Amazon fastened the issue
By way of the AWS Vulnerability Disclosure Program (VDP), researchers discovered that AWS’s personal inside non-production techniques had been susceptible, probably permitting attackers to execute code inside AWS infrastructure. The problem was disclosed and promptly fastened in September 2024.
