Untrusted AMI images Medium

The code requests Amazon Machine Images (AMIs) by name, without filtering them by owner or AMI identifiers. The response might contain untrusted public images from other accounts. Launching an AMI from an untrusted source might inadvertently run malicious code.

Detector ID
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public void describeImagesNoncompliant(AmazonEC2 client) {
2    final String imageName = "sample_image_name";
3    final Filter filter = new Filter("name").withValues(imageName);
4    // Noncompliant: images are filtered using name only.
5    DescribeImagesResult result =
6            client.describeImages(new DescribeImagesRequest().withFilters(filter));

Compliant example

1public void describeImagesCompliant(AmazonEC2 client) {
2    final String imageName = "sample_image_name";
3    final String imageOwner = "sample_image_owner";
4    final Filter nameFilter = new Filter("name").withValues(imageName);
5    final Filter ownerFilter = new Filter("owner-alias").withValues(imageOwner);
6    // Compliant: images are filtered using name and owner.
7    DescribeImagesResult result =
8            client.describeImages(new DescribeImagesRequest().withFilters(Arrays.asList(nameFilter, ownerFilter)));