Who's behind community AMIs on Amazon EC2?

I've been using AWS for years, but have never ventured outside the Quick Start and AWS Marketplace sections when launching an EC2 instance.

The AMIs from the AWS Marketplace look trustable, they have a link to the seller profile, etc.:

enter image description here

Compare this to community AMIs, that seem to appear out of thin air, with no information whatsoever on who the heck created and uploaded it:

enter image description here

How to know where a Community AMI comes from? Can these be trusted?


Solution 1:

Any AWS user can create a community AMI by making it public and shared with everyone. So the answer is just about anyone could have created that community AMI.

While many are probably fine, you cannot trust them by default, in my opinion.

Regarding the specific creator of the AMI in question, it appears that the only user-specific information available is the OwnerId field, which is the AWS account ID of the image owner.

Here's an example AWS Cli command to get that information:

aws ec2 describe-images  --image-ids ami-gs5mba4yp26bsyx57

(Replace "gs5mba4yp26bsyx57" with the ami id you want to examine.)

This will return a lot of information about the image, including the OwnerId field.

Solution 2:

and there is absolutely no way to know who created them?

You are looking in the wrong direction! Your trust in community AMIs should come from outside Amazon. For example, if you trust getfedora.org, you can trust the community AMIs it references (as noted in this answer to a closely related question, though the link has since broken).

Similarly Ubuntu has https://cloud-images.ubuntu.com/locator/ec2/ (though I'm not sure if those AMIs are community or not).

There are plenty of other projects which list their own "official" community AMIs. I couldn't find an official list for CentOS which might include the AMI you referenced in the post, but you can always try asking the project maintainers if the AMI was created by them in an official capacity.