If the “house owners” attribute is omitted when trying to find an AMI, the researchers famous, AWS could return outcomes that embrace public group AMIs from any account. Attackers can exploit this by publishing a malicious AMI with an identical title and newer timestamp, tricking automated infrastructure-as-Code (IaC) instruments like Terraform into deciding on a compromised picture.
Victims are weak provided that they use the ec2.DescribeImages API with a reputation filter, omit the “house owners” attribute, and choose the latest AMI, growing the chance of deploying a compromised occasion.
Amazon fastened the issue
By means of the AWS Vulnerability Disclosure Program (VDP), researchers discovered that AWS’s personal inner non-production programs have been weak, doubtlessly permitting attackers to execute code inside AWS infrastructure. The problem was disclosed and promptly fastened in September 2024.