Who's behind community AMIs on Amazon EC2?

amazon-web-services amazon-ec2 amazon-ami
5,428

Solution 1

Any AWS user can create a community AMI by making it public and shared with everyone. So the answer is just about anyone could have created that community AMI.

While many are probably fine, you cannot trust them by default, in my opinion.

Regarding the specific creator of the AMI in question, it appears that the only user-specific information available is the OwnerId field, which is the AWS account ID of the image owner.

Here's an example AWS Cli command to get that information:

aws ec2 describe-images  --image-ids ami-gs5mba4yp26bsyx57

(Replace "gs5mba4yp26bsyx57" with the ami id you want to examine.)

This will return a lot of information about the image, including the OwnerId field.

Solution 2

and there is absolutely no way to know who created them?

You are looking in the wrong direction! Your trust in community AMIs should come from outside Amazon. For example, if you trust getfedora.org, you can trust the community AMIs it references (as noted in this answer to a closely related question, though the link has since broken).

Similarly Ubuntu has https://cloud-images.ubuntu.com/locator/ec2/ (though I'm not sure if those AMIs are community or not).

There are plenty of other projects which list their own "official" community AMIs. I couldn't find an official list for CentOS which might include the AMI you referenced in the post, but you can always try asking the project maintainers if the AMI was created by them in an official capacity.

Share:
5,428
BenMorel
Author by

BenMorel

Author of Brick, a collection of open-source libraries for PHP applications: brick/math : an arbitrary-precision arithmetic library brick/money : a money and currency library brick/date-time : a date and time library brick/phonenumber : a phone number library brick/geo : a GIS geometry library brick/varexporter : a powerful alternative to var_export() ... and a few others.

Updated on September 18, 2022

Comments

  • BenMorel
    BenMorel over 1 year

    I've been using AWS for years, but have never ventured outside the Quick Start and AWS Marketplace sections when launching an EC2 instance.

    The AMIs from the AWS Marketplace look trustable, they have a link to the seller profile, etc.:

    enter image description here

    Compare this to community AMIs, that seem to appear out of thin air, with no information whatsoever on who the heck created and uploaded it:

    enter image description here

    How to know where a Community AMI comes from? Can these be trusted?

    • Tim
      Tim almost 5 years
      I know this isn't your question, but if you're looking for hardened images from a reputable source look at the CIS Hardened Images. They have images for most large cloud providers.
  • BenMorel
    BenMorel almost 5 years
    Thanks for the pointer. So as I understand it, anyone can put anything in there, without any verification from AWS, so these images cannot be trusted, and there is absolutely no way to know who created them?
  • vjones
    vjones almost 5 years
    So far as I can tell, you can only determine the Account ID of the creator. I added this information to my answer.
  • BenMorel
    BenMorel almost 5 years
    Sure, looking at it this way is OK, and TBH it's kind of weird that EC2 offers a search engine that returns community AMIs, they could just allow you to use them if you know their ID. I guess this might be useful to try out some things where security doesn't matter.
  • Dave
    Dave almost 5 years
    Agreed; I don't know why they offer a search by anything other than the AMI ID itself. Discovering them that way is just inherently risky.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Pre-configured EC2 VPN AMI
AWS Load Balancer: 503 (Service Unavailable: Back-end server is at capacity)
Boto3: Get EC2 images owned by me
How to get the Amazon Linux AMI version by AMI id?
Using boto, is there a way to create an AMI from a snapshot ID?
installing glusterfs on amazon ec2
Invalid block device mapping: Invalid device name - Creating an AMI from an Instance Store-Backed
Why is my AWS instance not reachable?
Can't find my AWS shared AMI when trying to share with specific account
How to recreate a working AMI from recovery snapshot after Aug 8 outage?