Ensure AWS Image Recipe EBS Disk are encrypted using a Customer Managed Key (CMK)

Error: AWS Image Recipe EBS Disk are not encrypted using a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_162
Checkov Check ID: CKV_AWS_200
Severity: LOW

AWS Image Recipe EBS Disk are not encrypted using a Customer Managed Key (CMK)

Description

This policy identifies Image Recipe EBS Disks which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.

Fix - Runtime

TBA

Fix - Buildtime

Terraform

resource "aws_imagebuilder_image_recipe" "pass2" {
  block_device_mapping {
    device_name = "/dev/xvdb"

    ebs {
      encrypted             = true
      kms_key_id            = aws_kms_key.fail.arn
      delete_on_termination = true
      volume_size           = 100
      volume_type           = "gp2"
    }
  }

  component {
    component_arn = aws_imagebuilder_component.fail.arn
  }

  name         = "example"
  parent_image = "arn:${data.aws_partition.current.partition}:imagebuilder:${data.aws_region.current.name}:aws:image/amazon-linux-2-x86/x.x.x"
  version      = "1.0.0"
}