Full Report
Cybersecurity researchers have disclosed a new type of name confusion attack called whoAMI that allows anyone who publishes an Amazon Machine Image (AMI) with a specific name to gain code execution within the Amazon Web Services (AWS) account. "If executed at scale, this attack could be used to gain access to thousands of accounts," Datadog Security Labs researcher Seth Art said in a report
Analysis Summary
# Vulnerability: AWS AMI Name Confusion Leading to Remote Code Execution (whoAMI Attack)
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text.
- CWE: Likely related to CWE-843 (Type Confusion) or CWE-20 (Improper Input Validation), specifically in the context of resource naming/retrieval.
## Affected Systems
- Products: Amazon Web Services (AWS) EC2 service, specifically systems that retrieve AMIs using specific filtering criteria.
- Versions: Not specified, but applies to configurations exhibiting the vulnerable pattern.
- Configurations: Systems/codebases that retrieve an AMI via the `ec2:DescribeImages` API call and meet the following vulnerable criteria:
1. Use of the name filter.
2. Failure to specify the `--owners`, `owner-alias`, or `owner-id` parameters.
3. Fetching the most recently created image (`most_recent=true`) from the returned list.
## Vulnerability Description
The "whoAMI" attack is a supply chain vulnerability exploited via name confusion in the AWS Community AMI catalog. An attacker can publish a malicious Amazon Machine Image (AMI) under a name that matches a frequently sought-after official or legitimate AMI name. If a victim system queries the `ec2:DescribeImages` API using only a name filter (and misses specifying the owner ID), the AWS API returns a list of matching AMIs. If the attacker's malicious AMI is the most recently created among the matches, the victim system will inadvertently launch an EC2 instance using the attacker's backdoored AMI, resulting in Remote Code Execution (RCE) within the victim's AWS account. This is analogous to dependency confusion, but targeting VM images instead of software packages.
Datadog estimates roughly 1% of monitored organizations were using the vulnerable pattern in their code (found in Python, Go, Java, Terraform, Pulumi, and Bash).
## Exploitation
- Status: **PoC available** (The researchers demonstrated the technique). AWS stated no evidence of abuse by parties other than the researchers themselves.
- Complexity: **Low** (Requires only an AWS account to publish the malicious AMI and knowledge of the target's search criteria).
- Attack Vector: **Network** (The attack is successful when triggered remotely by the victim querying the AWS API).
## Impact
- Confidentiality: **High** (RCE allows access to instance data and potentially the broader AWS environment).
- Integrity: **High** (RCE allows modification or deletion of data/resources on the compromised instance).
- Availability: **High** (RCE can be used to disrupt services running on the compromised EC2 instance).
## Remediation
### Patches
- AWS addressed the issue following responsible disclosure on September 16, 2024. (Specific patch versions/details were not listed as the fix appears to be implemented by AWS service logic enforcement, rather than a user-applied software patch).
### Workarounds
- **Code Remediation:** Do not search for AMIs solely by name via API calls. Always explicitly provide the `--owners` (or equivalent `owner-alias` or `owner-id`) parameter when using `ec2:DescribeImages` to ensure only known, trusted AMIs are retrieved.
- **Exclusion:** Ensure that code is not fetching the "most recent" image from an unfiltered list.
## Detection
- **Indicators of Compromise:**
- Unexpected AMI IDs being registered or launched in your environment that do not correspond to known golden images or official sources.
- Unusual network activity originating from newly launched EC2 instances shortly after AMI description calls.
- **Detection methods and tools:** Scanning code repositories (Python, Go, Java, Terraform, etc.) for instances of `ec2:DescribeImages` calls that rely only on the name filter without specifying an owner ID.
## References
- Vendor Advisories: AWS addressed the issue on September 19, 2024 (3 days after disclosure on Sep 16, 2024).
- Relevant links:
- https://securitylabs.datadoghq.com/articles/whoami-a-cloud-image-name-confusion-attack/
- https://thehackernews.com/2025/02/new-whoami-attack-exploits-aws-ami-name.html