AWS AMI Encryption

Risk Level: High (not acceptable risk)

Rule ID: EC2-057

Ensure that your Amazon Machine Images (AMIs) are encrypted to fulfill compliance requirements for data-at-rest encryption. The Amazon Machine Image (AMI) data encryption and decryption is handled transparently and does not require any additional action from your applications.

This rule can help you with the following compliance standards:

PCI
HIPAA
GDPR
APRA
MAS
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When dealing with production data that is crucial to your business, it is highly recommended to implement data encryption in order to protect it from attackers or unauthorized personnel. The AMI encryption keys are using AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through Amazon Key Management Service (KMS).

Audit

To identify any unencrypted AMIs created within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Images, choose AMIs.

04 Select the Amazon Machine Image (AMI) that you want to examine.

05 Choose the Details tab from the console split panel and copy the ID of the associated EBS snapshot listed under Block devices. The EBS snapshot has the following format: snap-01234123412341234.

06 In the left navigation panel, under Elastic Block Store, choose Snapshots.

07 Click inside the Search box, select Snapshot ID, choose Equals from Operators, paste the snapshot ID copied in step no. 5, and press Enter.

08 Select the EBS snapshot returned in the previous step, choose the Details tab from the console split panel, and check the Encryption attribute value. Because the Amazon Machine Images (AMIs) are backed by EBS snapshots, you can use the configuration details of the associated EBS snapshots to determine the encryption status of your AMIs. If the Encryption attribute value is set to Not encrypted, the data on the selected Amazon Machine Image (AMI) is not encrypted.

09 Repeat steps no. 4 – 8 for each Amazon Machine Image (AMI) available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom output filters to describe the ID of each Amazon Machine Image (AMI) available in the selected AWS cloud region:

aws ec2 describe-images
	--region us-east-1
	--owners self
	--output table
	--query 'Images[*].ImageId'

02 The command output should return the requested image ID(s):

---------------------------
|     DescribeImages      |
+-------------------------+
|  ami-0abcdabcdabcdabcd  |
|  ami-0abcd1234abcd1234  |
|  ami-01234abcd1234abcd  |
+-------------------------+

03 Run describe-images command (OSX/Linux/UNIX) with the ID of the Amazon Machine Image (AMI) that you want to examine as the identifier parameter and custom output filters to describe the encryption status available for the selected AMI:

aws ec2 describe-images
	--region us-east-1
	--image-ids ami-0abcdabcdabcdabcd
	--query 'Images[*].BlockDeviceMappings[*].Ebs.Encrypted[]'

04 The command output should return the requested encryption status (true for encrypted and false for unencrypted):

[
	false
]

If the describe-images command output returns false, the data on the selected Amazon Machine Image (AMI) is not encrypted.

05 Repeat steps no. 3 and 4 for each Amazon Machine Image (AMI) available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable encryption at rest for your existing Amazon Machine Images (AMIs), perform the following operations:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_ami" "aws-ami" {
	name                = "conformity-ami"
	virtualization_type = "hvm"
	root_device_name    = "/dev/xvda"
	ebs_block_device {
	device_name = "/dev/xvda"
	snapshot_id = "snap-01234abcd1234abcd"
	volume_size = 100
	}
}

resource "aws_ami_copy" "aws-ami-copy" {
	name          = "conformity-encrypted-ami"
	source_ami_id = aws_ami.aws-ami.id
	encrypted     = true
	kms_key_id    = "arn:aws:kms:us-east-1:123412341234:key/abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Images, choose AMIs.

04 Select the Amazon Machine Image (AMI) that you want to encrypt.

05 Choose Actions, select Copy AMI, and perform the following actions to copy and encrypt your AMI:

Enter a unique name for your new AMI in the AMI copy name box.
(Optional) Provide a short description for the new AMI in AMI copy description box.
Select the destination AWS region from the Destination Region dropdown list.
(Optional) Select the Copy tags checkbox to include your user-defined tags when copying the AMI.
Select the Encrypt EBS snapshots of AMI copy checkbox and choose an Amazon KMS key from the KMS key dropdown list. The KMS key can be an AWS-managed key (i.e., arn:aws:kms:us-east-1:123456789012:alias/aws/ebs) or a Customer-Managed Key (CMK) that you create and manage.
(Optional) For Tags - optional, choose Tag image and snapshots together, and define your own tag sets.
Choose Copy AMI to initiate the replication process. The replication process should take a few minutes. Once the operation is completed, the status of the new AMI should change from Pending to Available.

06 Repeat steps no. 4 and 5 for each Amazon Machine Image (AMI) that you want to encrypt, available within the current AWS region.

07 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run copy-image command (OSX/Linux/UNIX) with the ID of the unencrypted Amazon Machine Image (AMI) that you want to encrypt as the identifier parameter, to copy the specified AMI from the source AWS region to the destination region, and encrypt the image using an Amazon KMS key (AWS-managed key or Customer-Managed Key). The following command example creates an encrypted copy of an AMI identified by the ID ami-0abcdabcdabcdabcd, in the US East (N. Virginia) region, using the AWS-managed key for EBS resources (i.e. arn:aws:kms:us-east-1:123456789012:alias/aws/ebs):

aws ec2 copy-image
	--source-image-id ami-0abcdabcdabcdabcd
	--source-region us-east-1
	--region us-east-1
	--name "Encrypted Production AMI"
	--encrypted

02 The command output should return the ID of the new Amazon Machine Image (AMI):

{
	"ImageId": "ami-01234123412341234"
}

03 Repeat steps no. 4 – 6 for each Amazon Machine Image (AMI) that you want to encrypt, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
describe-images
copy-image

Publication date Sep 22, 2017

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related EC2 rules