whoAMI Attacks: A New Threat to Amazon EC2 Instances

In recent times, cybersecurity researchers have uncovered a new type of attack called “whoAMI.” This attack exploits a name confusion vulnerability in Amazon Web Services (AWS) and allows hackers to gain code execution on Amazon EC2 instances.

How the Attack Works

The whoAMI attack targets the way software retrieves Amazon Machine Image (AMI) IDs. AMIs are pre-configured virtual machines used to launch EC2 instances in AWS. When developers create EC2 instances, they often search for AMIs using the ec2:DescribeImages API. If the “owners” attribute is omitted during this search, AWS may return results that include public community AMIs from any account.

Attackers exploit this by publishing a malicious AMI with a name that matches the search criteria. If the victim’s system selects the most recent AMI, it may end up using the attacker’s compromised image. This grants the attacker remote code execution (RCE) capabilities on the instance, allowing them to perform various malicious actions.

Impact and Vulnerability

The whoAMI attack is a subset of supply chain attacks. It does not require breaching the target’s AWS account. Instead, the attacker only needs an AWS account to publish their backdoored AMI to the public Community AMI catalog. This attack can impact many private and open-source code repositories, making it a significant threat to AWS users.

According to DataDog researchers, approximately 1% of the organizations they monitor are vulnerable to whoAMI attacks. This vulnerability likely affects thousands of distinct AWS accounts. The attack was disclosed to Amazon in September 2024, and the company promptly fixed the issue. However, the threat persists in environments where organizations have not updated their code.

Mitigation Strategies

To mitigate the risk of whoAMI attacks, AWS introduced a new security control called “Allowed AMIs” in December 2024. This feature allows customers to create an allow list of trusted AMI providers. Users can access this feature via the AWS Console: EC2 → Account Attributes → Allowed AMIs.

Additionally, system administrators should audit their configurations and update their code to ensure safe AMI retrieval. They should always specify AMI owners when using the ec2:DescribeImages API and avoid using the “most_recent=true” parameter without an owner filter.

Conclusion

The whoAMI attack highlights the importance of secure practices in cloud environments. By understanding the mechanics of this attack and implementing the recommended mitigation strategies, AWS users can protect their EC2 instances from potential threats. Staying vigilant and keeping software up to date are crucial steps in maintaining a secure cloud infrastructure.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it