If you look in AWS Marketplace or even search from the EC2 Launch page, you will see that there are lots of AMIs to choose from. Many of these AMIs are provided by community members or third-party providers. How are you to know that the AMI that you are about to launch in your environment doesn’t have a back door embedded inside of it for the creator to gain access to your network? The following are some steps you can take to use these types of AMIs in a more secure manner:
find / -name “authorized_keys” -print -exec cat {} \;
This command should locate and print to screen any found on the image. If any appear that you don’t recognize, you can remove them and create a new AMI image.
As an extra precaution with an image you have obtained from public sources, don’t allow SSH access (port 22) from any IP address (0.0.0.0/0) in your security groups. Have a tightened list of IP ranges that are allowed access to prevent outside access.
cat /etc/passwd /etc/shadow | grep -E ‘^[^:]*:[^:]{3.}’ | cut -d: -f1
If there is any output from the script, such as usernames you don’t recognize, you can use the password command (still as the root user) to change the password or use the userdel command to delete the user.
Note
The scripts and steps presented here are for your information as you work as a security professional. Knowing the exact steps to sweep an AMI for planted keys is not a skill that’s tested in the AWS Certified Security Specialty certification exam.
The next section will talk about how to configure EC2 instances automatically with the use of user data scripts.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
