Ensure encryption is enabled for Amazon Machine Image (AMI)

MEDIUM

Description

If an AWS AMI is backed by Elastic Block Storage (EBS), there is the ability to encrypt the AMI. Having an EBS-backed AMI that does not have encryption enabled could result in data loss.
References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html

Remediation

AWS Amazon Machine Images (AMI) should be encrypted using encrypted EBS snapshots; AMI's created from encrypted EBS snapshots are encrypted by default. To ensure that Encrypt by default is configured on EBS snapshots, follow the steps below.

In AWS Console -

  1. Log into the AWS Console and go to the EC2 Console.
  2. On the navigation bar, select EC2 Dashboard.
  3. In the upper right, under Account Attributes, select EBS Encryption.
  4. Click Manage.
  5. Set to Enabled, then select Save EBS encryption.

In Terraform -

  1. In the aws_ami resource, set 'ebs_block_device.encrypted' to 'true'.

References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami

Policy Details

Rule Reference ID: AC_AWS_0005
CSP: AWS
Remediation Available: Yes
Resource: aws_ami
Resource Category: Compute

Frameworks