EC2 instances launched from Amazon-owned AMIs are evaluated for the AMI's DeprecationTime; instances tied to images with a deprecation date in the past are reported as using deprecated AMIs.
Risk
Running on a deprecated AMI undermines security and availability:
- Missing patches enable exploitation of known CVEs (confidentiality/integrity)
- Unsupported components hinder hardening and forensics
- AMI removal from catalogs complicates scale-out and recovery (availability)
Run this check with Prowler CLI
prowler aws --checks ec2_instance_with_outdated_ami
Recommendation
Adopt non-deprecated, maintained AMIs and perform rolling replacements of affected instances. Standardize on hardened golden images with regular AMI rotation and DeprecationTime monitoring. Update launch templates/ASGs to reference current images. Automate patching via an image pipeline and apply defense in depth.
Remediation
Native IaC
Terraform
Other
- In the EC2 console, go to AMIs
- Set Owner to "Amazon" and ensure deprecated AMIs are not included; copy the AMI ID
- If using an Auto Scaling Group:
- Launch templates > select the one in use > Create new version with Image ID set to the copied AMI and set it as default
- Auto Scaling Groups > select the group > Start instance refresh
- If it is a standalone instance:
- Launch a new instance using the copied Amazon AMI
- Move workloads and terminate the old instance
Source Code
Resource Type
AwsEc2Instance