Control: 2.1.2 Ensure Images (AMI's) are encrypted
Description
Amazon Machine Images should utilize EBS Encrypted snapshots.
AMIs backed by EBS snapshots should use EBS encryption. Snapshot volumes can be encrypted and attached to an AMI.
Remediation
Perform the following to encrypt AMI EBS Snapshots:
From Console:
- Login to the EC2 console at https://console.aws.amazon.com/ec2/.
- In the left pane click on
AMIs. - Select the AMI that does not comply to the encryption policy.
- Click on
Actions. - Click on
Copy AMI.
Destination region - `Select the region the AMI is in`.Name - `Enter the new Name`Description - `Enter the new description`Encryption - `Select` Encrypt target EBS snapshots
- Click on Copy AMI.
Once the AMI has finished copying.
- Select the AMI that does not have encrypted EBS snapshots.
- Click on
Actions. - Click on
Deregister
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_1_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_2_1_2 --shareSQL
This control uses a named query:
with encryption_status as ( select image_id as resource, region, account_id, tags, _ctx, bool_and(coalesce((mapping -> 'Ebs' ->> 'Encrypted')::text = 'true', false)) as all_encrypted from aws_ec2_ami cross join jsonb_array_elements(block_device_mappings) as mapping group by image_id, region, account_id, tags, _ctx)select resource, case when all_encrypted then 'ok' else 'alarm' end as status, case when all_encrypted then resource || ' all EBS volumes are encrypted.' else resource || ' all EBS volumes are not encrypted.' end as reason , region, account_idfrom encryption_status;