Ensure that your Amazon Machine Images (AMIs) are encrypted to fulfill compliance requirements for data-at-rest encryption. The Amazon Machine Image (AMI) data encryption and decryption is handled transparently and does not require any additional action from your applications.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When dealing with production data that is crucial to your business, it is highly recommended to implement data encryption in order to protect it from attackers or unauthorized personnel. The AMI encryption keys are using AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through AWS Key Management Service (KMS).
Audit
To identify any unencrypted AMIs created within your AWS account, perform the following:
Remediation / Resolution
To encrypt any unencrypted Amazon Machine Images available within your AWS account, you need to create AMIs with encrypted snapshots from AMIs with unencrypted snapshots by copying them. To implement the AMI encryption process, perform the following:
References
- AWS Documentation
- Amazon Machine Images (AMI)
- AMIs with Encrypted Snapshots
- Copying an AMI
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-images
- copy-image
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
AWS AMI Encryption
Risk level: High