DataDog security researchers discovered “WhoAMI” — a name confusion attack against AWS EC2 that exploits the AMI selection process. When organizations search for AMIs without specifying an owner ID and use the most_recent=true parameter, an attacker who publishes a maliciously named Community AMI can cause automated deployment systems to launch their compromised image. DataDog reported the issue to AWS in August 2024; AWS shipped a patch in September 2024 and launched the Allowed AMIs feature on December 1, 2024.
Name Confusion Attack: How a Public AMI Becomes a Backdoor
The vulnerability exploits a name confusion attack vector within AWS’s EC2 service, specifically targeting the AMI selection process. Amazon Machine Images serve as templates for virtual machines in AWS’s Elastic Compute Cloud (EC2), containing pre-configured operating systems and application stacks. The attack becomes possible when organizations fail to properly validate AMI ownership during image selection processes.
Technical Analysis of the Exploit
Three critical conditions must align for successful exploitation of the WhoAMI vulnerability:
- Missing explicit AMI owner specification in image searches
- Implementation of the most_recent=true parameter
- Insufficient validation of AMI sources
Attack Vector and Implementation
The exploitation process begins with an attacker creating a malicious AMI and publishing it to the Community AMI catalog. By strategically naming this image to mimic legitimate, trusted sources, attackers can potentially trick automated deployment systems into selecting their compromised image. This attack vector is particularly concerning as it requires only basic AWS account access to execute.
Security Implications and Mitigation Strategies
AWS has implemented several security measures in response to this discovery. A patch was released in September 2024, followed by the introduction of the “Allowed AMIs” security feature on December 1, 2024. This new mechanism enables organizations to maintain whitelists of trusted AMI providers, significantly reducing the risk of unauthorized image deployment.
To prevent WhoAMI-class attacks, always specify an explicit --owners parameter (account ID or amazon, aws-marketplace) when calling ec2:DescribeImages. Enable the Allowed AMIs feature in EC2 settings to restrict AMI discovery to pre-approved accounts and remove the name-confusion attack surface entirely. AWS confirmed no known exploitation before the patch.
