Logo of Trend Micro

AWS AMI Encryption

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: EC2-057

Ensure that your Amazon Machine Images (AMIs) are encrypted to fulfill compliance requirements for data-at-rest encryption. The Amazon Machine Image (AMI) data encryption and decryption is handled transparently and does not require any additional action from your applications.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When dealing with production data that is crucial to your business, it is highly recommended to implement data encryption in order to protect it from attackers or unauthorized personnel. The AMI encryption keys are using AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through AWS Key Management Service (KMS).

Audit

To identify any unencrypted AMIs created within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the image that you want to examine.

05 Select the Details tab from the dashboard bottom panel and copy the EBS snapshot ID (e.g. snap-0341f42cf1191edc6) available as value for the Block Devices attribute.

06 In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.

07 Click inside the attributes filter box located under the dashboard top menu and select Snapshot ID from the dropdown list.

08 Paste the ID copied at step no. 5 into the attributes filter box as the Snapshot ID input value and press Enter.

09 Select the EBS snapshot returned as result, choose Description tab from the dashboard bottom panel and check the Encrypted attribute value available for the selected snapshot. Since the AWS AMIs are backed by EBS snapshots we can use the snapshots configuration details to get the encryption status of the associated AMIs. If the Encrypted attribute value is set to Not Encrypted, the selected Amazon Machine Image is not encrypted, therefore your EBS data-at-rest is not protected from unauthorized access.

10 Repeat steps no. 4 – 9 to identify any other unencrypted AMIs available in the current region.

11 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-images command (OSX/Linux/UNIX) with custom filtering to list the IDs of all Amazon Machine Images (AMIs) currently available in the selected AWS region: 

aws ec2 describe-images
	--region us-east-1
	--owners self
	--output table
	--query 'Images[*].ImageId'

02 The command output should return the AMI IDs requested: 

------------------
| DescribeImages |
+----------------+
|  ami-90221eeb  |
|  ami-32a28c78  |
|  ami-3d708e51  |
+----------------+

03 Run describe-images command (OSX/Linux/UNIX) using the image ID returned at the previous step as identifier and custom query filters to expose the encryption status for the selected AMI: 

aws ec2 describe-images
	--region us-east-1
	--image-ids ami-90221eeb
	--query 'Images[*].BlockDeviceMappings[*].Ebs.Encrypted[]'

04 The command output should return the AMI encryption status ( true for encrypted and false for unencrypted): 

[
    false
]

05 Repeat steps no. 3 and 4 to identify any other unencrypted AMIs provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To encrypt any unencrypted Amazon Machine Images available within your AWS account, you need to create AMIs with encrypted snapshots from AMIs with unencrypted snapshots by copying them. To implement the AMI encryption process, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under IMAGES section, choose AMIs.

04 Select the image that you want to encrypt.

05 Click the Actions dropdown button from the dashboard top menu and select Copy AMI.

06 Inside Copy AMI dialog box, perform the following actions:

  1. Select the new AMI destination region from the Destination region dropdown list.
  2. Within Name box, provide a name for your new AMI.
  3. (Optional) Edit the image description available within Description box.
  4. Next to Encryption, select Encrypt target EBS snapshots checkbox then choose the required KMS master key (the key used to encrypt the target snapshot) from the Master Key dropdown list. If there are no KMS CMK keys already created, you can use the default master key (i.e. (default) aws/ebs) that protects your EBS volumes and snapshots when no other key is defined.
  5. Click Copy AMI to confirm the action then click Done to return to the EC2 dashboard. The copy operation should take few minutes. Once the process is complete, the new AMI status should change from pending to available.

07 Repeat steps no. 4 – 6 to encrypt other unencrypted AMIs available within the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for the other regions.

Using AWS CLI

01 Run copy-image command (OSX/Linux/UNIX) using the ID of the unencrypted AMI as identifier (see Audit section Step 01 to identify the right resource ID) to copy the selected AMI from the specified source region to the current region and encrypt it using the default KMS key provided by AWS. The following command example creates a copy of an AMI identified by the ID "ami-90221eeb" (source image), available within the US East (N. Virginia) source region, to the current region (destination region) and encrypts its data during the process using the KMS default master key (i.e. (default) aws/ebs): 

aws ec2 copy-image
	--source-image-id ami-90221eeb
	--source-region us-east-1
	--region us-east-1
	--name "CloudConformity Web Server Image"
	--encrypted

02 The command output should return the ID of the new AMI: 

{
    "ImageId": "ami-7adee201"
}

03 Repeat steps no. 4 – 6 to encrypt other unencrypted AMIs available within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Sep 22, 2017

Related EC2 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

AWS AMI Encryption

Risk level: High