Along with EC2 Elastic Block Storage (EBS) for persistent block storage, users can create one or more instance stores.

Now, the researchers found that the way software projects retrieve AMI IDs was flawed, and allowed threat actors to gain remote code execution (RCE) capabilities within people’s AWS accounts.

Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.

Due to a misconfiguration, developers could be tricked into retrieving malicious Amazon Machine Images (AMI) while creating EC2 instances.