AWS AMI Encryption
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your Amazon Machine Images (AMIs) are encrypted to fulfill compliance requirements for data-at-rest encryption. The Amazon Machine Image (AMI) data encryption and decryption is handled transparently and does not require any additional action from your applications.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When dealing with production data that is crucial to your business, it is highly recommended to implement data encryption in order to protect it from attackers or unauthorized personnel. The AMI encryption keys are using AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through AWS Key Management Service (KMS).
To identify any unencrypted AMIs created within your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under IMAGES section, choose AMIs.
04 Select the image that you want to examine.
05 Select the Details tab from the dashboard bottom panel and copy the EBS snapshot ID (e.g. snap-0341f42cf1191edc6) available as value for the Block Devices attribute.
06 In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.
07 Click inside the attributes filter box located under the dashboard top menu and select Snapshot ID from the dropdown list.
08 Paste the ID copied at step no. 5 into the attributes filter box as the Snapshot ID input value and press Enter.
09 Select the EBS snapshot returned as result, choose Description tab from the dashboard bottom panel and check the Encrypted attribute value available for the selected snapshot. Since the AWS AMIs are backed by EBS snapshots we can use the snapshots configuration details to get the encryption status of the associated AMIs. If the Encrypted attribute value is set to Not Encrypted, the selected Amazon Machine Image is not encrypted, therefore your EBS data-at-rest is not protected from unauthorized access.
10 Repeat steps no. 4 – 9 to identify any other unencrypted AMIs available in the current region.
11 Change the AWS region from the navigation bar and repeat the entire process for other regions.
01 Run describe-images command (OSX/Linux/UNIX) with custom filtering to list the IDs of all Amazon Machine Images (AMIs) currently available in the selected AWS region:
aws ec2 describe-images --region us-east-1 --owners self --output table --query 'Images[*].ImageId'
02 The command output should return the AMI IDs requested:
------------------ | DescribeImages | +----------------+ | ami-90221eeb | | ami-32a28c78 | | ami-3d708e51 | +----------------+
03 Run describe-images command (OSX/Linux/UNIX) using the image ID returned at the previous step as identifier and custom query filters to expose the encryption status for the selected AMI:
aws ec2 describe-images --region us-east-1 --image-ids ami-90221eeb --query 'Images[*].BlockDeviceMappings[*].Ebs.Encrypted[]'
04 The command output should return the AMI encryption status ( true for encrypted and false for unencrypted):
[
false
]
05 Repeat steps no. 3 and 4 to identify any other unencrypted AMIs provisioned in the current region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.
To encrypt any unencrypted Amazon Machine Images available within your AWS account, you need to create AMIs with encrypted snapshots from AMIs with unencrypted snapshots by copying them. To implement the AMI encryption process, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under IMAGES section, choose AMIs.
04 Select the image that you want to encrypt.
05 Click the Actions dropdown button from the dashboard top menu and select Copy AMI.
06 Inside Copy AMI dialog box, perform the following actions:
07 Repeat steps no. 4 – 6 to encrypt other unencrypted AMIs available within the current region.
08 Change the AWS region from the navigation bar and repeat the entire process for the other regions.
01 Run copy-image command (OSX/Linux/UNIX) using the ID of the unencrypted AMI as identifier (see Audit section Step 01 to identify the right resource ID) to copy the selected AMI from the specified source region to the current region and encrypt it using the default KMS key provided by AWS. The following command example creates a copy of an AMI identified by the ID "ami-90221eeb" (source image), available within the US East (N. Virginia) source region, to the current region (destination region) and encrypts its data during the process using the KMS default master key (i.e. (default) aws/ebs):
aws ec2 copy-image --source-image-id ami-90221eeb --source-region us-east-1 --region us-east-1 --name "CloudConformity Web Server Image" --encrypted
02 The command output should return the ID of the new AMI:
{
"ImageId": "ami-7adee201"
}
03 Repeat steps no. 4 – 6 to encrypt other unencrypted AMIs available within the current region.
04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat