Bsrgvty

How to get best taste out of tomatoes?

What was meant by the protest sign "Bundestag nach Berlin"?

Doubt on pronunciation of verbs (stressing)

Seeing the ground from the shuttle before launch?

Bo Derek in texbook.tex?

My mysterious "ruins" wander around and change on their own, what'd be a rational way for them to do that?

How do soldiers of conquered states enlist into the army of their conqueror?

How prevalent is the sound /ʑ:/ in Russian?

Equality operator does not get defined for a custom spaceship operator implementation in C++20

Equipment replacement problem

Which battle was the most lopsided result in terms of casualties?

My boss wants me to recreate everything I have done for my previous employer

Would an antimatter bullet fired from a sniper rifle even reach its target?

Short story about two entangled quantum physicists

How to communicate faster than the system clock

If Space Shuttle flies "like a brick", why does it need the wings?

Is it possible to use gases instead of liquids as fuel in a rocket engine?

How did Krennic locate the Erso's hideout?

What is my volume?

How to manage publications on a local computer

50% portfolio in single stock, JPM - appropriate for 80 year old?

Driving distance between O'Hare (ORD) and Downtown Chicago is 20.5 mi and 1H 17min?

A Star Trek book I read in the eighties, Kirk is shunned for destroying a civilization

Object Oriented Programming - how to avoid duplication in processes that differ slightly depending on a variable

Who's behind community AMIs on Amazon EC2?

How can I have trust in a Community AMI offered on Amazon EC2AMIs in Amazon EC2Is there a place to get popular AMIs for Amazon EC2?Amazon EC2 terminology - AMI vs. EBS vs. Snapshot vs. VolumeAre AWS EC2 AMIs automatically shared as community AMIs?1 EC2 instance per website - manage multiple websites on Amazon cloud using EC2Delete Amazon EC2 terminated instanceUbuntu 14.04 Server HVM with EBS Free Tier AMIHow can I have trust in a Community AMI offered on Amazon EC2

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;

19

1

I've been using AWS for years, but have never ventured outside the Quick Start and AWS Marketplace sections when launching an EC2 instance.

The AMIs from the AWS Marketplace look trustable, they have a link to the seller profile, etc.:

Compare this to community AMIs, that seem to appear out of thin air, with no information whatsoever on who the heck created and uploaded it:

How to know where a Community AMI comes from? Can these be trusted?

amazon-web-services amazon-ec2 amazon-ami

share|improve this question

asked Aug 3 at 12:06

BenjaminBenjamin

2,26199 gold badges4040 silver badges6969 bronze badges

• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  I know this isn't your question, but if you're looking for hardened images from a reputable source look at the CIS Hardened Images. They have images for most large cloud providers.
  
  – Tim
  Aug 3 at 21:03
  

  
  
  
  

add a comment
 | 

19

1

I've been using AWS for years, but have never ventured outside the Quick Start and AWS Marketplace sections when launching an EC2 instance.

The AMIs from the AWS Marketplace look trustable, they have a link to the seller profile, etc.:

Compare this to community AMIs, that seem to appear out of thin air, with no information whatsoever on who the heck created and uploaded it:

How to know where a Community AMI comes from? Can these be trusted?

amazon-web-services amazon-ec2 amazon-ami

share|improve this question

asked Aug 3 at 12:06

BenjaminBenjamin

2,26199 gold badges4040 silver badges6969 bronze badges

• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  I know this isn't your question, but if you're looking for hardened images from a reputable source look at the CIS Hardened Images. They have images for most large cloud providers.
  
  – Tim
  Aug 3 at 21:03
  

  
  
  
  

add a comment
 | 

I've been using AWS for years, but have never ventured outside the Quick Start and AWS Marketplace sections when launching an EC2 instance.

The AMIs from the AWS Marketplace look trustable, they have a link to the seller profile, etc.:

Compare this to community AMIs, that seem to appear out of thin air, with no information whatsoever on who the heck created and uploaded it:

How to know where a Community AMI comes from? Can these be trusted?

amazon-web-services amazon-ec2 amazon-ami

share|improve this question

asked Aug 3 at 12:06

BenjaminBenjamin

2,26199 gold badges4040 silver badges6969 bronze badges

share|improve this question

asked Aug 3 at 12:06

BenjaminBenjamin

2,26199 gold badges4040 silver badges6969 bronze badges

share|improve this question

asked Aug 3 at 12:06

BenjaminBenjamin

2,26199 gold badges4040 silver badges6969 bronze badges

asked Aug 3 at 12:06

BenjaminBenjamin

2,26199 gold badges4040 silver badges6969 bronze badges

asked Aug 3 at 12:06

BenjaminBenjamin

2,26199 gold badges4040 silver badges6969 bronze badges

2 Answers
2

active

oldest

votes

23

Any AWS user can create a community AMI by making it public and shared with everyone. So the answer is just about anyone could have created that community AMI.

While many are probably fine, you cannot trust them by default, in my opinion.

Regarding the specific creator of the AMI in question, it appears that the only user-specific information available is the OwnerId field, which is the AWS account ID of the image owner.

Here's an example AWS Cli command to get that information:

aws ec2 describe-images --image-ids ami-gs5mba4yp26bsyx57

(Replace "gs5mba4yp26bsyx57" with the ami id you want to examine.)

This will return a lot of information about the image, including the OwnerId field.

share|improve this answer

edited Aug 3 at 15:24

answered Aug 3 at 14:54

vjonesvjones

79177 silver badges1111 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Thanks for the pointer. So as I understand it, anyone can put anything in there, without any verification from AWS, so these images cannot be trusted, and there is absolutely no way to know who created them?
  
  – Benjamin
  Aug 3 at 14:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So far as I can tell, you can only determine the Account ID of the creator. I added this information to my answer.
  
  – vjones
  Aug 3 at 15:27
  

  
  
  
  

add a comment
 | 

5

and there is absolutely no way to know who created them?

You are looking in the wrong direction! Your trust in community AMIs should come from outside Amazon. For example, if you trust getfedora.org, you can trust the community AMIs it references (as noted in this answer to a closely related question, though the link has since broken).

Similarly Ubuntu has https://cloud-images.ubuntu.com/locator/ec2/ (though I'm not sure if those AMIs are community or not).

There are plenty of other projects which list their own "official" community AMIs. I couldn't find an official list for CentOS which might include the AMI you referenced in the post, but you can always try asking the project maintainers if the AMI was created by them in an official capacity.

share|improve this answer

answered Aug 5 at 6:56

DaveDave

15133 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sure, looking at it this way is OK, and TBH it's kind of weird that EC2 offers a search engine that returns community AMIs, they could just allow you to use them if you know their ID. I guess this might be useful to try out some things where security doesn't matter.
  
  – Benjamin
  Aug 5 at 14:43
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Agreed; I don't know why they offer a search by anything other than the AMI ID itself. Discovering them that way is just inherently risky.
  
  – Dave
  Aug 5 at 17:26
  

  
  
  
  

add a comment
 | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f977835%2fwhos-behind-community-amis-on-amazon-ec2%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

23

Any AWS user can create a community AMI by making it public and shared with everyone. So the answer is just about anyone could have created that community AMI.

While many are probably fine, you cannot trust them by default, in my opinion.

Regarding the specific creator of the AMI in question, it appears that the only user-specific information available is the OwnerId field, which is the AWS account ID of the image owner.

Here's an example AWS Cli command to get that information:

aws ec2 describe-images --image-ids ami-gs5mba4yp26bsyx57

(Replace "gs5mba4yp26bsyx57" with the ami id you want to examine.)

This will return a lot of information about the image, including the OwnerId field.

share|improve this answer

edited Aug 3 at 15:24

answered Aug 3 at 14:54

vjonesvjones

79177 silver badges1111 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Thanks for the pointer. So as I understand it, anyone can put anything in there, without any verification from AWS, so these images cannot be trusted, and there is absolutely no way to know who created them?
  
  – Benjamin
  Aug 3 at 14:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So far as I can tell, you can only determine the Account ID of the creator. I added this information to my answer.
  
  – vjones
  Aug 3 at 15:27
  

  
  
  
  

add a comment
 | 

23

Any AWS user can create a community AMI by making it public and shared with everyone. So the answer is just about anyone could have created that community AMI.

While many are probably fine, you cannot trust them by default, in my opinion.

Regarding the specific creator of the AMI in question, it appears that the only user-specific information available is the OwnerId field, which is the AWS account ID of the image owner.

Here's an example AWS Cli command to get that information:

aws ec2 describe-images --image-ids ami-gs5mba4yp26bsyx57

(Replace "gs5mba4yp26bsyx57" with the ami id you want to examine.)

This will return a lot of information about the image, including the OwnerId field.

share|improve this answer

edited Aug 3 at 15:24

answered Aug 3 at 14:54

vjonesvjones

79177 silver badges1111 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Thanks for the pointer. So as I understand it, anyone can put anything in there, without any verification from AWS, so these images cannot be trusted, and there is absolutely no way to know who created them?
  
  – Benjamin
  Aug 3 at 14:57
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So far as I can tell, you can only determine the Account ID of the creator. I added this information to my answer.
  
  – vjones
  Aug 3 at 15:27
  

  
  
  
  

add a comment
 | 

Any AWS user can create a community AMI by making it public and shared with everyone. So the answer is just about anyone could have created that community AMI.

While many are probably fine, you cannot trust them by default, in my opinion.

Regarding the specific creator of the AMI in question, it appears that the only user-specific information available is the OwnerId field, which is the AWS account ID of the image owner.

Here's an example AWS Cli command to get that information:

aws ec2 describe-images --image-ids ami-gs5mba4yp26bsyx57

(Replace "gs5mba4yp26bsyx57" with the ami id you want to examine.)

This will return a lot of information about the image, including the OwnerId field.

share|improve this answer

edited Aug 3 at 15:24

answered Aug 3 at 14:54

vjonesvjones

79177 silver badges1111 bronze badges

aws ec2 describe-images --image-ids ami-gs5mba4yp26bsyx57

share|improve this answer

edited Aug 3 at 15:24

answered Aug 3 at 14:54

vjonesvjones

79177 silver badges1111 bronze badges

answered Aug 3 at 14:54

vjonesvjones

79177 silver badges1111 bronze badges

answered Aug 3 at 14:54

vjonesvjones

79177 silver badges1111 bronze badges

5

and there is absolutely no way to know who created them?

You are looking in the wrong direction! Your trust in community AMIs should come from outside Amazon. For example, if you trust getfedora.org, you can trust the community AMIs it references (as noted in this answer to a closely related question, though the link has since broken).

Similarly Ubuntu has https://cloud-images.ubuntu.com/locator/ec2/ (though I'm not sure if those AMIs are community or not).

There are plenty of other projects which list their own "official" community AMIs. I couldn't find an official list for CentOS which might include the AMI you referenced in the post, but you can always try asking the project maintainers if the AMI was created by them in an official capacity.

share|improve this answer

answered Aug 5 at 6:56

DaveDave

15133 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sure, looking at it this way is OK, and TBH it's kind of weird that EC2 offers a search engine that returns community AMIs, they could just allow you to use them if you know their ID. I guess this might be useful to try out some things where security doesn't matter.
  
  – Benjamin
  Aug 5 at 14:43
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Agreed; I don't know why they offer a search by anything other than the AMI ID itself. Discovering them that way is just inherently risky.
  
  – Dave
  Aug 5 at 17:26
  

  
  
  
  

add a comment
 | 

5

and there is absolutely no way to know who created them?

You are looking in the wrong direction! Your trust in community AMIs should come from outside Amazon. For example, if you trust getfedora.org, you can trust the community AMIs it references (as noted in this answer to a closely related question, though the link has since broken).

Similarly Ubuntu has https://cloud-images.ubuntu.com/locator/ec2/ (though I'm not sure if those AMIs are community or not).

There are plenty of other projects which list their own "official" community AMIs. I couldn't find an official list for CentOS which might include the AMI you referenced in the post, but you can always try asking the project maintainers if the AMI was created by them in an official capacity.

share|improve this answer

answered Aug 5 at 6:56

DaveDave

15133 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sure, looking at it this way is OK, and TBH it's kind of weird that EC2 offers a search engine that returns community AMIs, they could just allow you to use them if you know their ID. I guess this might be useful to try out some things where security doesn't matter.
  
  – Benjamin
  Aug 5 at 14:43
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Agreed; I don't know why they offer a search by anything other than the AMI ID itself. Discovering them that way is just inherently risky.
  
  – Dave
  Aug 5 at 17:26
  

  
  
  
  

add a comment
 | 

and there is absolutely no way to know who created them?

You are looking in the wrong direction! Your trust in community AMIs should come from outside Amazon. For example, if you trust getfedora.org, you can trust the community AMIs it references (as noted in this answer to a closely related question, though the link has since broken).

Similarly Ubuntu has https://cloud-images.ubuntu.com/locator/ec2/ (though I'm not sure if those AMIs are community or not).

There are plenty of other projects which list their own "official" community AMIs. I couldn't find an official list for CentOS which might include the AMI you referenced in the post, but you can always try asking the project maintainers if the AMI was created by them in an official capacity.

share|improve this answer

answered Aug 5 at 6:56

DaveDave

15133 bronze badges

share|improve this answer

answered Aug 5 at 6:56

DaveDave

15133 bronze badges

answered Aug 5 at 6:56

DaveDave

15133 bronze badges

answered Aug 5 at 6:56

DaveDave

15133 bronze badges