Ensure AWS Image Builder Distribution Configuration is encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)

Error: AWS Image Builder Distribution Configuration is not encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_149
Checkov Check ID: CKV_AWS_199
Severity: LOW

AWS Image Builder Distribution Configuration is not encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)

Description

This policy identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.

Fix - Runtime

TBD

Fix - Buildtime

Terraform

Resource: aws_imagebuilder_distribution_configuration
Arguments: distribution.ami_distribution_configuration.kms_key_id

resource "aws_imagebuilder_distribution_configuration" "pass" {
  name        = "example"
  description = "non empty value"

  distribution {
    ami_distribution_configuration {
      kms_key_id = aws_kms_key.fail.arn
      ami_tags = {
        CostCenter = "IT"
      }

      name = "example-{{ imagebuilder:buildDate }}"

      launch_permission {
        user_ids = ["123456789012"]
      }
    }

    region = "us-east-1"
  }
}