If the “homeowners” attribute is omitted when looking for an AMI, the researchers famous, AWS could return outcomes that embrace public group AMIs from any account. Attackers can exploit this by publishing a malicious AMI with an identical title and newer timestamp, tricking automated infrastructure-as-Code (IaC) instruments like Terraform into deciding on a compromised picture.
Victims are susceptible provided that they use the ec2.DescribeImages API with a reputation filter, omit the “homeowners” attribute, and choose the latest AMI, growing the chance of deploying a compromised occasion.
Amazon mounted the issue
Via the AWS Vulnerability Disclosure Program (VDP), researchers discovered that AWS’s personal inside non-production programs had been susceptible, probably permitting attackers to execute code inside AWS infrastructure. The difficulty was disclosed and promptly mounted in September 2024.
