Using Shared AMIs
This section describes how to find and safely use shared AMIs. One of the easiest ways to get started with Amazon EC2 is to use a shared AMI that has the components you need and add custom content.
To find shared AMIs
-
Use the ec2-describe-images command (or the abbreviated ec2dim command) with a flag to filter the results.
Example
This command displays a list of all public AMIs.
PROMPT>
ec2dim -x all
The -x all
flag shows AMIs executable by all users. This
includes AMIs you own.
This command displays a list of AMIs for which you have explicit launch permissions:
PROMPT>
ec2dim -x self
AMIs that you own are excluded from the list.
This command displays a list of AMIs owned by Amazon:
PROMPT>
ec2dim -o amazon
This command displays a list of AMIs owned by a particular user:
PROMPT>
ec2dim -o
<target_uid>
where <target_uid>
is the account ID of the user
who owns the AMIs for which you are looking.
AMIs are launched at the user's own risk. Amazon cannot vouch for the integrity or security of AMIs shared by other users. Therefore, you should treat shared AMIs as you would any foreign code that you might consider deploying in your own data center and perform the appropriate due diligence.
Ideally, you should get the AMI ID from a trusted source (a website, another user, etc). If you do not know the source of an AMI, we recommended that you search the forums for comments on the AMI before launching it. Conversely, if you have questions or observations about a shared AMI, feel free to use the AWS forums to ask or comment.
Amazon's public images have an aliased owner and
display amazon
in the userId field.
This allows you to find Amazon's public images easily.
Note | |
---|---|
Users cannot alias an AMI's owner. |
If you choose to launch a shared AMI, take the following minimum steps after launch to confirm the AMI is not doing anything malicious:
-
Check the ssh authorized keys file. The only key in the file should be the key you used to launch the AMI.
-
Check open ports and running services.
-
Change the root password if is not randomized on startup. For more information on randomizing the root password on startup, see Disable Password-Based Logins for Root.
-
Check if ssh allows root password logins. See Disable Password-Based Logins for Root for more information on disabling root based password logins.
-
Check whether there are any other user accounts that might allow backdoor entry to your instance. Accounts with super user privileges are particularly dangerous.
-
Verify that all cron jobs are legitimate.