Ensure AWS AMI copying uses a Customer Managed Key (CMK)

Error: AWS AMI copying does not use a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_123
Checkov Check ID: CKV_AWS_236
Severity: LOW

AWS AMI copying does not use a Customer Managed Key (CMK)

Description

This policy identifies AMI copies which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer-managed KMS Keys to encrypt your AMI copies data. It gives you full control over the encrypted data.

Fix - Runtime

Fix - Buildtime

Terraform

resource "aws_ami_copy" "pass" {
  name              = "terraform-example"
  description       = "A copy of ami-xxxxxxxx"
  source_ami_id     = "ami-xxxxxxxx"
  source_ami_region = "us-west-1"
  encrypted         = true #default is false
  kms_key_id        = aws_kms_key.copy.arn
  tags = {
    Name = "HelloWorld"
    test = "failed"
  }
}