A newly discovered vulnerability, dubbed the “whoAMI” attack, has exposed Amazon EC2 instances to potential remote code execution, posing significant risks to cloud infrastructure. This critical flaw highlights the importance of stringent security measures in cloud environments.
Amazon responded to this flaw in September 2024, a month after this was initially discovered by Datadog, but the problem continues in the customer side where organizations fail to update the code.
DataDog Security Labs reported on February 12, 2025, that the whoAMI attack leverages a name confusion vulnerability in Amazon Machine Images (AMIs). They found that attackers could exploit this flaw by publishing malicious AMIs with names resembling legitimate ones. When users or automated systems retrieve AMIs using the ec2:DescribeImages API without specifying trusted owners, they may inadvertently select these malicious images.
This vulnerability arises from misconfigurations in how AMI searches are performed. For example, infrastructure-as-code tools like Terraform may use the “most_recent=true” attribute, which automatically selects the latest AMI matching the search criteria. If the owner parameter is not explicitly defined, this can result in deploying a malicious AMI.
To fight this issue, AWS now allows users to create an allow list of trusted AMI providers by specifying account IDs or predefined keywords like “amazon.” This defense-in-depth feature ensures that only verified AMIs are used in EC2 deployments.
#CyTech #CyTechNewsRoom #Cybersecurity #CISO #CISOWorkplace™ #VulnerabilityAssessment #Vulnerability #AMI #AWS #Amazon
Leave a Reply