Summary: Cybersecurity researchers have uncovered a new name confusion attack named whoAMI that enables attackers to execute code within AWS accounts by publishing malicious Amazon Machine Images (AMIs). This attack exploits misconfigurations in the ec2:DescribeImages API, potentially compromising numerous accounts if executed at scale. Following responsible disclosure, Amazon has addressed the vulnerability, confirming no evidence of exploitation in the wild but recommending enhanced security measures for users.
Affected: Amazon Web Services (AWS)
Keypoints :
- The whoAMI attack relies on creating a malicious AMI with a name matching the search criteria used by victims.
- This attack type requires three conditions to be met: using a name filter, omitting owner specifications, and fetching the most recently created image.
- Amazon has implemented new security controls, such as Allowed AMIs, to mitigate this vulnerability.
Source: https://thehackernews.com/2025/02/new-whoami-attack-exploits-aws-ami-name.html