ChannelLife New Zealand - Industry insider news for technology resellers
New Zealand
Guides
#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes
Search
Story image
#
Cloud Security
#
Open source
#
Cybersecurity

Datadog reveals whoAMI attack vulnerability in AWS AMI

Today
Author image
By Melania Watson, Interview Editor

Datadog's Security Labs team has identified a whoAMI attack, a vulnerability in AWS's Amazon Machine Image (AMI), which could potentially affect thousands of accounts if exploited at scale.

The Datadog Security Labs made this discovery in August 2024, while analysing patterns in how various software projects retrieve AMIs for creating EC2 instances. This type of attack is known as a name confusion attack, a subset of supply chain attacks, and bears similarities to dependency confusion attacks.

The vulnerability allows anyone who publishes an AMI with a specially crafted name to execute code within the compromised AWS account. Datadog's investigation confirmed that internal non-production systems within AWS itself were susceptible to this attack, posing a risk of code execution within AWS's internal systems if the vulnerability was exploited.

"This misconfiguration falls on the customer side of the shared responsibility model," the findings indicated, highlighting the critical nature of maintaining customer-side security measures.

In response to these findings, AWS announced on December 1, 2024, the introduction of "Allowed AMIs". This new feature serves as a defence mechanism by enabling users to whitelist specific AWS accounts as trustworthy AMI providers, which could prevent a whoAMI attack if properly enabled and configured.

Alongside AWS's actions, Datadog has released queries to assist companies in identifying vulnerable patterns within their code.

Additionally, Datadog launched an open source project called whoAMI-scanner, designed to detect the use of untrusted AMIs in a given environment.

The whoAMI-scanner aims to offer a practical tool for organisations to safeguard against potential exploitation by ensuring their deployments do not include untrusted or unsafe AMIs.

Dan Benjamin, a member of the Datadog Security Labs team, noted, "Successful attackers could have ensured anyone using the tool would deploy a malicious AMI rather than the intended one," emphasising the necessity of proactive measures to mitigate such risks.

By working closely with AWS, Datadog has helped address this significant security challenge, highlighting the importance of collaboration in cybersecurity efforts.

The introduction of Allowed AMIs and tools like the whoAMI-scanner demonstrate a combined effort to enhance security for all AWS customers.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Microsoft 365 users face rising threat from Axios attacks
Harness & Traceable merge to lead in AI-driven DevSecOps
Proofpoint named a Leader in 2025 Gartner Magic Quadrant
The AI advantage: What’s real; what’s right and what’s risky for law firms today?
Fortra's 2025 cybersecurity survey: key risk findings
Top stories
Oracle NetSuite unveils AI tools for Australia, NZ firms
Leveraging technology to stay ahead of rising payroll compliance penalties
Hitachi Vantara & BMC Software announce strategic alliance
HPE launches eight new ProLiant Gen12 servers with Xeon 6
Check Point & Wiz partner to secure hybrid cloud setups