AWS AMI Encryption is not enabled

ID

aws_ami_not_encrypted

Severity

high

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

AWS AMI Encryption is not enabled. Having all data encrypted at rest is considered a security best practice and should be implemented where ever possible.

To fix it you must configure device_mapping.encrypted=true.

Learn more about this topic at AWS AMI Encryption.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: AMI Registration from EBS Snapshot
      amazon.aws.ec2_ami:
        name: newtest
        state: present
        architecture: x86_64
        virtualization_type: hvm
        root_device_name: /dev/xvda
        device_mapping:
          - device_name: /dev/xvda
            volume_size: 8
            snapshot_id: snap-xxxxxxxx
            delete_on_termination: true
            volume_type: gp2

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: AMI Registration from EBS Snapshot
      amazon.aws.ec2_ami:
        name: newtest
        state: present
        architecture: x86_64
        virtualization_type: hvm
        root_device_name: /dev/xvda
        device_mapping:
          - device_name: /dev/xvda
            volume_size: 8
            encrypted: true
            snapshot_id: snap-xxxxxxxx
            delete_on_termination: true
            volume_type: gp2