Plugin Title Encrypted AMI
Cloud AWS
Category EC2
Description Checks for encrypted root EBS volume for AMI
More Info Instances that are not based on encrypted EBS root volumes pose a security threat due to potential data snooping.
AWS Link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html
Recommended Action Create an Amazon EC2 instance backed by encrypted EBS volume.


Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the "Services" option and search for EC2.
  3. Scroll down the left navigation panel and choose "AMIs" under "Images".
  4. Select the "AMI" that needs to be verified and under "Details" tab copy the "Snapshot ID" from the "Block Devices".
  5. Scroll down the left navigation panel and choose "Snapshots" under "Elastic Block Store".
  6. Click inside the "Filter by tags and attributes or search by keyword" and from the dropdown menu choose "Snapshot ID" and paste the "Snapshot ID".
  7. Scroll down the "Description" tab and check "Encryption" value. If the "Encryption" value is set to "Not Encrypted" then the selected "AMI" is not encrypted.
  8. Repeat steps number 2 - 7 to verify other AMIs.
  9. Scroll down the left navigation panel and choose "AMIs" and select the "AMI" that needs to be encrypted.
  10. Click on the "Actions" button at the top and click on the "Copy AMI" option.
  11. In the "Copy AMI," dialog box select the "Destination region" from the dropdown menu and click on the "Encryption" checkbox to "Encrypt target EBS snapshots" and choose the "Master Key" from the dropdown and click on the "Copy AMI" button.
  12. Select the new "Encrypted AMI" and click on the "Launch" button to create a new EC2 instance with encrypted "EBS volume".
  13. Configure the "Instance Type", "Configure Instance Details", "Add Storage", "Security Group" as per the requirements and click on the "Review and Launch" button to create a new "EC2 Instance" backed by encrypted "EBS Volume".
  14. Repeat steps number 9 - 13 to create an "EC2 Instance" from "Encrypted AMI".

Want to scan for this risk automatically?

Get Started Now