whoAMI attack is a new name confusion exploit that allows the hackers to gain remote code execution (RCE) within AWS accounts based on a warns from recent report.
This attack relies on Amazon Machine Image (AMI) misuse. Hackers upload malicious AMIs with deceptive names, tricking misconfigured software into using them. If successful, the attacker can deploy backdoored instances on AWS.
How the Attack Works
The vulnerability occurs when users search for AMIs without specifying an owner ID or alias in the ec2:DescribeImages API. If they also filter by name and fetch the most recent result, they may unknowingly select an attacker-controlled AMI instead of a legitimate one.
Once deployed, this rogue AMI grants RCE access, allowing attackers to steal data, install malware, or move laterally within the AWS environment.
Similar to Dependency Confusion
Researchers compare whoAMI to dependency confusion attacks, where malicious packages replace trusted ones. However, in this case, the infected resource is a virtual machine image rather than a software dependency.
Reports show that around 1% of monitored organizations were affected. Vulnerable code examples exist in Python, Go, Java, Terraform, Pulumi, and Bash.
AWS Response and Fixes
AWS addressed the issue within three days of disclosure in September 2024. Investigations from AWS found no signs of real-world abuse, only researcher tests.
To improve security, AWS introduced Allowed AMIs, a new control that restricts AMI selection. Terraform also issued warnings about unsafe AMI searches and will block insecure queries in future updates.
How to Prevent This Attack
Organizations should always specify the owner ID when retrieving AMIs via the ec2:DescribeImages API. Filtering by trusted sources prevents attackers from injecting malicious AMIs into searches.
Additionally, businesses must enable AWS security controls, such as Allowed AMIs, and regularly review infrastructure code for vulnerabilities. Keeping cloud security configurations up to date helps prevent exploitation.
Sleep well, we got you covered.
