Ensure that your Amazon Machine Images (AMIs) are encrypted to fulfill compliance requirements for data-at-rest encryption. The Amazon Machine Image (AMI) data encryption and decryption is handled transparently and does not require any additional action from your applications.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When dealing with production data that is crucial to your business, it is highly recommended to implement data encryption in order to protect it from attackers or unauthorized personnel. The AMI encryption keys are using AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through Amazon Key Management Service (KMS).
Audit
To identify any unencrypted AMIs created within your AWS cloud account, perform the following operations:
Remediation / Resolution
To enable encryption for your existing Amazon Machine Images (AMIs), perform the following operations:
References
- AWS Documentation
- Amazon Machine Images (AMI)
- AMIs with Encrypted Snapshots
- Copying an AMI
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-images
- copy-image