Ensure AWS Image Recipe EBS Disk are encrypted using a Customer Managed Key (CMK)
Error: AWS Image Recipe EBS Disk are not encrypted using a Customer Managed Key (CMK)
Bridgecrew Policy ID: BC_AWS_GENERAL_162
Checkov Check ID: CKV_AWS_200
Severity: LOW
AWS Image Recipe EBS Disk are not encrypted using a Customer Managed Key (CMK)
Description
This policy identifies Image Recipe EBS Disks which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.
Fix - Runtime
TBA
Fix - Buildtime
Terraform
resource "aws_imagebuilder_image_recipe" "pass2" {
block_device_mapping {
device_name = "/dev/xvdb"
ebs {
encrypted = true
kms_key_id = aws_kms_key.fail.arn
delete_on_termination = true
volume_size = 100
volume_type = "gp2"
}
}
component {
component_arn = aws_imagebuilder_component.fail.arn
}
name = "example"
parent_image = "arn:${data.aws_partition.current.partition}:imagebuilder:${data.aws_region.current.name}:aws:image/amazon-linux-2-x86/x.x.x"
version = "1.0.0"
}
Updated 6 months ago