Ensure AWS Image Builder Distribution Configuration is encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)
Error: AWS Image Builder Distribution Configuration is not encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)
Bridgecrew Policy ID: BC_AWS_GENERAL_149
Checkov Check ID: CKV_AWS_199
Severity: LOW
AWS Image Builder Distribution Configuration is not encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)
Description
This policy identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.
Fix - Runtime
TBD
Fix - Buildtime
Terraform
Resource: aws_imagebuilder_distribution_configuration
Arguments: distribution.ami_distribution_configuration.kms_key_id
resource "aws_imagebuilder_distribution_configuration" "pass" {
name = "example"
description = "non empty value"
distribution {
ami_distribution_configuration {
kms_key_id = aws_kms_key.fail.arn
ami_tags = {
CostCenter = "IT"
}
name = "example-{{ imagebuilder:buildDate }}"
launch_permission {
user_ids = ["123456789012"]
}
}
region = "us-east-1"
}
}
Updated 10 months ago