Control: Ensure Images (AMI's) are encrypted

Description

Amazon Machine Images should utilize EBS Encrypted snapshots.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.ec2_ami_ebs_encryption_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.ec2_ami_ebs_encryption_enabled --share

SQL

This control uses a named query:

with encryption_status as (
  select
    image_id as resource,
    region,
    account_id,
    tags,
    _ctx,
    bool_and(coalesce((mapping -> 'Ebs' ->> 'Encrypted')::text = 'true', false)) as all_encrypted
  from
    aws_ec2_ami
    cross join jsonb_array_elements(block_device_mappings) as mapping
  group by
    image_id,
    region,
    account_id,
    tags,
    _ctx
)
select
  resource,
  case
    when all_encrypted then 'ok'
    else 'alarm'
  end as status,
  case
    when all_encrypted then resource || ' all EBS volumes are encrypted.'
    else resource || ' all EBS volumes are not encrypted.'
  end as reason
  
  , region, account_id
from
  encryption_status;

Control: Ensure Images (AMI's) are encrypted

Description

Usage

SQL

Tags