Make "owners" field of source_ami_filter required: RFC
SwampDragons opened this issue ยท 10 comments
HashiCorp's security team pointed out an interesting potential exploit where if you request an amazon AMI via a source_ami_filter, but don't have "owner" selected, you can accidentally use a malicious base image instead of one from your own organization or a trusted vendor.
The impact of making the "owner" field required would be low for the users (I strongly suspect that a majority of people using the filter already define the owner field) but could save users from making a potentially dangerous mistake. I think we should have Packer fail during validation with an error that says this field must be designated; if we decide that there is a valid use case where people may not want to have to set this field, we could potentially allow an opt out like setting "owner" to "any" but honestly I can't think of a situation where this really makes a great deal of sense.
I'm going to slate this for v1.3.0 but I'd like to hear community thoughts.
๐ to this, absolutely.
I encountered exactly this bug last week, ended up with a Monero miner instead of a vanilla Ubuntu AMI when the owner
filter was missed.
@007 Can you shoot me an email? I have a couple of questions about your experience with this issue.
Done
@SwampDragons I can't upgrade to Packer 1.3.0 because of this change. Essentially we use the same JSON Packer definitions for production AWS account as development AWS account, and only have to modify the profile
to toggle between production and development AWS credentials.
The problem is the owners
field id now is different as well for production and development AWS accounts. Can you provide a solution to this? Is there an abstraction I am missing? Thanks.
@nodesocket the "owners" field is a list, so I believe you should be able to simply provide both possible "owner" IDs and have the filter still work for both. Then no matter which (prod or dev) owner owns the AMI, you should be able to find one.
Ahh, didn't realize owners
take a list. That worked. Thanks!
Awesome! Super glad it isn't a blocker.
You can also use self
.
We should probably add some more info in the docs. From the AWS docs:
Filters the images by the owner. Specify an AWS account ID, self (owner is the sender of the request), or an AWS owner alias (valid values are amazon | aws-marketplace | microsoft ). Omitting this option returns all images for which you have launch permissions, regardless of ownership
https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html
Good point. I've opened a PR updating docs: #6694
I'm going to lock this issue because it has been closed for 30 days โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.