Who's behind community AMIs on Amazon EC2?
Solution 1
Any AWS user can create a community AMI by making it public and shared with everyone. So the answer is just about anyone could have created that community AMI.
While many are probably fine, you cannot trust them by default, in my opinion.
Regarding the specific creator of the AMI in question, it appears that the only user-specific information available is the OwnerId field, which is the AWS account ID of the image owner.
Here's an example AWS Cli command to get that information:
aws ec2 describe-images --image-ids ami-gs5mba4yp26bsyx57
(Replace "gs5mba4yp26bsyx57" with the ami id you want to examine.)
This will return a lot of information about the image, including the OwnerId field.
Solution 2
and there is absolutely no way to know who created them?
You are looking in the wrong direction! Your trust in community AMIs should come from outside Amazon. For example, if you trust getfedora.org
, you can trust the community AMIs it references (as noted in this answer to a closely related question, though the link has since broken).
Similarly Ubuntu has https://cloud-images.ubuntu.com/locator/ec2/ (though I'm not sure if those AMIs are community or not).
There are plenty of other projects which list their own "official" community AMIs. I couldn't find an official list for CentOS which might include the AMI you referenced in the post, but you can always try asking the project maintainers if the AMI was created by them in an official capacity.
BenMorel
Author of Brick, a collection of open-source libraries for PHP applications: brick/math : an arbitrary-precision arithmetic library brick/money : a money and currency library brick/date-time : a date and time library brick/phonenumber : a phone number library brick/geo : a GIS geometry library brick/varexporter : a powerful alternative to var_export() ... and a few others.
Updated on September 18, 2022Comments
-
BenMorel over 1 year
I've been using AWS for years, but have never ventured outside the
Quick Start
andAWS Marketplace
sections when launching an EC2 instance.The AMIs from the
AWS Marketplace
look trustable, they have a link to the seller profile, etc.:Compare this to community AMIs, that seem to appear out of thin air, with no information whatsoever on who the heck created and uploaded it:
How to know where a Community AMI comes from? Can these be trusted?
-
Tim almost 5 yearsI know this isn't your question, but if you're looking for hardened images from a reputable source look at the CIS Hardened Images. They have images for most large cloud providers.
-
-
BenMorel almost 5 yearsThanks for the pointer. So as I understand it, anyone can put anything in there, without any verification from AWS, so these images cannot be trusted, and there is absolutely no way to know who created them?
-
vjones almost 5 yearsSo far as I can tell, you can only determine the Account ID of the creator. I added this information to my answer.
-
BenMorel almost 5 yearsSure, looking at it this way is OK, and TBH it's kind of weird that EC2 offers a search engine that returns community AMIs, they could just allow you to use them if you know their ID. I guess this might be useful to try out some things where security doesn't matter.
-
Dave almost 5 yearsAgreed; I don't know why they offer a search by anything other than the AMI ID itself. Discovering them that way is just inherently risky.