![Apple Officially Announces Return of 'Ted Lasso' for Fourth Season [Video]](https://www.iclarified.com/images/news/96710/96710/96710-640.jpg)
![Apple Plans Live Translation Feature for AirPods in iOS 19 [Report]](https://www.iclarified.com/images/news/96712/96712/96712-640.jpg)
![Apple Shares Official Trailer for 'F1' Starring Brad Pitt [Video]](https://www.iclarified.com/images/news/96714/96714/96714-640.jpg)
![[Update: Fix] Chromecast (2nd gen) and Audio can’t Cast in ‘Untrusted’ outage](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2019/08/chromecast_audio_1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
_Tanapong_Sungkaew_Alamy.jpg?#)
_JIRAROJ_PRADITCHAROENKUL_Alamy.jpg?#)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
Amazon Machine Image Name Confusion Attack Let Attackers Publish Resource
Researchers uncovered a critical vulnerability in Amazon Web Services (AWS) involving Amazon Machine Images (AMIs). Dubbed the “whoAMI” attack, this exploit leverages a name confusion attack, a subset of supply chain attacks, to gain unauthorized code execution within AWS accounts. The vulnerability arises from misconfigured software that retrieves AMIs without properly specifying trusted owners, potentially […] The post Amazon Machine Image Name Confusion Attack Let Attackers Publish Resource appeared first on Cyber Security News.
Researchers uncovered a critical vulnerability in Amazon Web Services (AWS) involving Amazon Machine Images (AMIs).
Dubbed the “whoAMI” attack, this exploit leverages a name confusion attack, a subset of supply chain attacks, to gain unauthorized code execution within AWS accounts.
The vulnerability arises from misconfigured software that retrieves AMIs without properly specifying trusted owners, potentially exposing thousands of AWS accounts to exploitation.
The “whoAMI” attack exploits a common pattern in retrieving AMI IDs via the ec2:DescribeImages API.
This API allows users to filter images based on attributes like name but can inadvertently include malicious AMIs if the owner’s parameter is not explicitly defined.
For example, the following Terraform code snippet illustrates a vulnerable configuration:
When executed, this code retrieves the most recently published AMI matching the filter criteria, regardless of its source, and reads the Datadog security labs report.
An attacker can exploit this by publishing a malicious AMI with a crafted name (e.g., ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-whoAMI) that appears more recent than legitimate images.
If deployed at scale, this attack could compromise thousands of AWS accounts. Datadog estimates that approximately 1% of organizations using AWS are vulnerable.
Unexpectedly, internal non-production systems within AWS were also found susceptible to this attack during Datadog’s research.
This vulnerability could have enabled attackers to execute arbitrary code within AWS’s internal systems if exploited.
This vulnerability extends beyond Terraform and affects other tools and languages, including Python, Go, and Bash scripts using the AWS CLI.
AWS Response and Mitigation
AWS promptly addressed the issue after it was disclosed by Datadog. AWS introduced Allowed AMIs, a defense-in-depth feature allowing users to create an allow list of trusted AMI providers by specifying account IDs or predefined keywords like amazon. This feature ensures only verified AMIs are used in EC2 deployments.
Datadog released an open-source tool called whoAMI-scanner to further assist organizations, which audits cloud environments for untrusted AMIs.
This tool helps identify and mitigate risks associated with deploying potentially malicious images. Hence, organizations are urged to adopt AWS’s new features and follow best practices to protect their cloud infrastructure from similar vulnerabilities.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
The post Amazon Machine Image Name Confusion Attack Let Attackers Publish Resource appeared first on Cyber Security News.
