id: publicly-shared-ami
info:
  name: Publicly Shared AMI
  author: princechaddha
  severity: medium
  description: |
    Checks if Amazon Machine Images (AMIs) are publicly shared, potentially exposing sensitive data.
  impact: |
    Public sharing of AMIs can lead to unauthorized access and compromise of sensitive information contained within these images.
  remediation: |
    Restrict AMI sharing to specific, trusted AWS accounts and ensure they are not publicly accessible.
  reference:
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html
  tags: cloud,devops,aws,amazon,ami,aws-cloud-config

variables:
  region: "us-east-1"

flow: |
  code(1)
  for(let AmiName of iterate(template.amis)){
    set("ami", AmiName)
    code(2)
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      aws ec2 describe-images --region $region --owners self --output json --query 'Images[*].ImageId' --output json

    extractors:
      - type: json
        name: amis
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
         aws ec2 describe-images --region $region --image-ids $ami --owners self --query 'Images[*].Public'

    matchers:
      - type: word
        words:
          - "true"

    extractors:
      - type: dsl
        dsl:
          - 'ami + " AMI is publically shared"'
# digest: 4a0a004730450220193e6725ccb97bbd7071e4dad36601e0e8625dd4901a653eacf3141faf6e8a82022100d7d61c14183f4a6563ac749634aa9af5e01332d52583cba6e703cf4958bbe63f:922c64590222798bb761d5b6d8e72950