Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS AMI Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EC2-057

Ensure that your Amazon Machine Images (AMIs) are encrypted to fulfill compliance requirements for data-at-rest encryption. The Amazon Machine Image (AMI) data encryption and decryption is handled transparently and does not require any additional action from your applications.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When dealing with production data that is crucial to your business, it is highly recommended to implement data encryption in order to protect it from attackers or unauthorized personnel. The AMI encryption keys are using AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through Amazon Key Management Service (KMS).


Audit

To identify any unencrypted AMIs created within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Select the Amazon Machine Image (AMI) that you want to examine.

05 Select the Details tab from the console bottom panel and copy the ID of the associated EBS snapshot listed as value for the Block Devices attribute (e.g. snap-01234123412341234).

06 In the navigation panel, under Elastic Block Store, choose Snapshots.

07 Click inside the Filter by tags and attributes or search by keyword box, select Snapshot ID, paste the ID copied at step no. 5, and press Enter.

08 Select the Amazon EBS snapshot returned as result, choose the Description tab from the console bottom panel, and check the Encryption attribute value. Because the Amazon Machine Images (AMIs) are backed by EBS snapshots, you can use the configuration details of the associated EBS snapshots to determine the encryption status of your AMIs. If the Encryption attribute value is set to Not Encrypted, the data on the selected Amazon Machine Image (AMI) is not encrypted.

09 Repeat steps no. 4 – 8 for each Amazon Machine Image available within the current AWS region.

10 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom query filters to describe the ID of each Amazon Machine Image (AMI) available in the selected AWS cloud region:

aws ec2 describe-images
  --region us-east-1
  --owners self
  --output table
  --query 'Images[*].ImageId'

02 The command output should return the requested image ID(s):

---------------------------
|     DescribeImages      |
+-------------------------+
|  ami-0abcdabcdabcdabcd  |
|  ami-0abcd1234abcd1234  |
|  ami-01234abcd1234abcd  |
+-------------------------+

03 Run describe-images command (OSX/Linux/UNIX) using the ID of the Amazon Machine Image (AMI) that you want to examine as the identifier parameter and custom query filters to describe the encryption status available for the selected AMI:

aws ec2 describe-images
  --region us-east-1
  --image-ids ami-0abcdabcdabcdabcd
  --query 'Images[*].BlockDeviceMappings[*].Ebs.Encrypted[]'

04 The command output should return the requested encryption status (true for encrypted and false for unencrypted):

[
	false
]

If the describe-images command output returns false, the data on the selected Amazon Machine Image (AMI) is not encrypted.

05 Repeat steps no. 3 and 4 for each Amazon Machine Image available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To enable encryption for your existing Amazon Machine Images (AMIs), perform the following operations:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_ami" "aws-ami" {
	name                = "conformity-ami"
	virtualization_type = "hvm"
	root_device_name    = "/dev/xvda"
	ebs_block_device {
	device_name = "/dev/xvda"
	snapshot_id = "snap-01234abcd1234abcd"
	volume_size = 100
	}
}

resource "aws_ami_copy" "aws-ami-copy" {
	name          = "conformity-encrypted-ami"
	source_ami_id = aws_ami.aws-ami.id
	encrypted     = true
	kms_key_id    = "arn:aws:kms:us-east-1:123412341234:key/abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Images, choose AMIs.

04 Select the Amazon Machine Image (AMI) that you want to encrypt.

05 Click the Actions dropdown button from the console top menu and select Copy AMI.

06 In the Copy AMI configuration box, perform the following actions:

  1. Select the destination AWS region from the Destination region dropdown list.
  2. Enter a unique name for your new AMI in the Name box.
  3. (Optional) Provide a short description for the new AMI in Description box.
  4. Select Encrypt target EBS snapshots next to Encryption, and choose an encryption master key from the Master Key dropdown list. The master key can be an AWS-managed key (i.e. aws/ebs) or a customer-managed Customer Master Key (CMK). If you don't have a customer-managed CMK already created, follow the steps outlined in this conformity rule to create a new one.
  5. Choose Copy AMI to initiate the replication process, then click Done to return to the Amazon EC2 console. The replication process should take a few minutes. Once the operation is completed, the status of the new AMI should change from pending to available.

07 Repeat steps no. 4 – 6 to encrypt other Amazon Machine Images available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run copy-image command (OSX/Linux/UNIX) using the ID of the unencrypted Amazon Machine Image (AMI) that you want to encrypt as the identifier parameter, to copy the specified AMI from the source AWS region to the destination region, and encrypt the image using an encryption master key (AWS-managed or customer-managed key). The following command request example creates an encrypted copy of an AMI identified by the ID ami-0abcdabcdabcdabcd, in the US East (N. Virginia) region, using the AWS-managed master key (i.e. aws/ebs) for data encryption:

aws ec2 copy-image
  --source-image-id ami-0abcdabcdabcdabcd
  --source-region us-east-1
  --region us-east-1
  --name "Encrypted Production Web AMI"
  --encrypted

02 The command output should return the ID of the new Amazon Machine Image (AMI):

{
	"ImageId": "ami-01234123412341234" 
}

03 Repeat steps no. 4 – 6 to encrypt other Amazon Machine Images available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Sep 22, 2017