Ensure AWS AMIs are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)

Error: AWS AMIs are not encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)

Bridgecrew Policy ID: BC_AWS_GENERAL_153
Checkov Check ID: CKV_AWS_204
Severity: LOW

AWS AMIs are not encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)

Description

This policy identifies AMIs which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.

Fix - Runtime

Fix - Buildtime

Terraform

75 lines (62 sloc)  1.41 KB

resource "aws_ami" "pass" {
  name                = "terraform-example"
  virtualization_type = "hvm"
  root_device_name    = "/dev/xvda1"

  ebs_block_device {
    device_name = "/dev/xvda1"
    volume_size = 8
    snapshot_id = "someid"
  }

  ebs_block_device {
    device_name = "/dev/xvda2"
    volume_size = 8
    encrypted   = true
  }
}