fix(ec2_ami_public): correct check metadata and logic (#2618)

2026-02-10 14:55:00 +00:00 · 2023-07-26 10:34:04 +02:00
parent e721251936
commit 69fad0009d
2 changed files with 4 additions and 7 deletions
--- a/prowler/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.metadata.json
+++ b/prowler/providers/aws/services/ec2/ec2_ami_public/ec2_ami_public.metadata.json
@@ -11,7 +11,7 @@
  "Severity": "critical",
  "ResourceType": "Other",
  "Description": "Ensure there are no EC2 AMIs set as Public.",
-  "Risk": "A shared AMI is an AMI that a developer created and made available for other developers to use. If AMIs have embebed information about the environment could pose a security risk. You use a shared AMI at your own risk. Amazon can not vouch for the integrity or security of AMIs shared by Amazon EC2 users.",
+  "Risk": "When your AMIs are publicly accessible, they are available in the Community AMIs where everyone with an AWS account can use them to launch EC2 instances. Your AMIs could contain snapshots of your applications (including their data), therefore exposing your snapshots in this manner is not advised.",
  "RelatedUrl": "",
  "Remediation": {
    "Code": {
@@ -21,8 +21,8 @@
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "List all shared AMIs and make sure there is a business reason for them.",
-      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html"
+      "Text": "We recommend your EC2 AMIs are not publicly accessible, or generally available in the Community AMIs.",
+      "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html"
    }
  },
  "Categories": [
--- a/prowler/providers/aws/services/ec2/ec2_service.py
+++ b/prowler/providers/aws/services/ec2/ec2_service.py
@@ -316,20 +316,17 @@ class EC2:
    def __describe_images__(self, regional_client):
        logger.info("EC2 - Describing Images...")
        try:
-            public = False
            for image in regional_client.describe_images(Owners=["self"])["Images"]:
                arn = f"arn:{self.audited_partition}:ec2:{regional_client.region}:{self.audited_account}:image/{image['ImageId']}"
                if not self.audit_resources or (
                    is_resource_filtered(arn, self.audit_resources)
                ):
-                    if image["Public"]:
-                        public = True
                    self.images.append(
                        Image(
                            id=image["ImageId"],
                            arn=arn,
                            name=image["Name"],
-                            public=public,
+                            public=image.get("Public", False),
                            region=regional_client.region,
                            tags=image.get("Tags"),
                        )