EC2 AMIs Should Be Encrypted

More Info:

Amazon Machine Images (AMIs) should be encrypted to fulfill compliance requirements for data-at-rest encryption.

Risk Level

High

Address

Security

Compliance Standards

PCIDSS, HITRUST, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “EC2 AMIs should be encrypted” in AWS using AWS CLI, follow the below steps:

Open the AWS CLI on your local machine or EC2 instance and ensure that you have the necessary permissions to perform the remediation steps.
List all the AMIs that are not encrypted using the following command:

aws ec2 describe-images --filters "Name=block-device-mapping.volume-type,Values=gp2" "Name=state,Values=available" --query 'Images[*].{ID:ImageId,Name:Name,BlockDeviceMappings:BlockDeviceMappings}'

This command will list all the unencrypted AMIs in your AWS account.

Create a new encrypted copy of the unencrypted AMI using the following command:

aws ec2 copy-image --source-image-id ami-xxxxxxxx --source-region us-west-2 --encrypted --region us-west-2

Replace the ami-xxxxxxxx with the ID of the unencrypted AMI that you want to encrypt.

Once the new encrypted AMI is created, deregister the unencrypted AMI using the following command:

aws ec2 deregister-image --image-id ami-xxxxxxxx --region us-west-2

Replace the ami-xxxxxxxx with the ID of the unencrypted AMI that you want to deregister.

Verify that the new encrypted AMI is available and working correctly.
Repeat the above steps for all unencrypted AMIs in your AWS account.

By following these steps, you can remediate the misconfiguration “EC2 AMIs should be encrypted” in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of unencrypted EC2 AMIs in AWS using Python, you can follow the following steps:

Import the required AWS SDKs and libraries:

import boto3

Create an EC2 client object:

ec2 = boto3.client('ec2')

Retrieve a list of all the EC2 instances:

instances = ec2.describe_instances()

Loop through each instance and check if it has any unencrypted AMIs:

for instance in instances['Reservations']:
    for ami in instance['Instances'][0]['BlockDeviceMappings']:
        if not ami.get('Ebs', {}).get('Encrypted', False):
            # If the AMI is not encrypted, remediate it

To remediate an unencrypted AMI, create a new encrypted copy of it:

response = ec2.create_image(
    InstanceId=instance['Instances'][0]['InstanceId'],
    Name='Encrypted AMI',
    Description='Encrypted copy of the original AMI',
    BlockDeviceMappings=[
        {
            'DeviceName': ami['DeviceName'],
            'Ebs': {
                'SnapshotId': ami['Ebs']['SnapshotId'],
                'VolumeType': ami['Ebs']['VolumeType'],
                'VolumeSize': ami['Ebs']['VolumeSize'],
                'Encrypted': True
            }
        }
    ],
    DryRun=False
)

Delete the original unencrypted AMI:

response = ec2.deregister_image(
    ImageId=ami['Ebs']['SnapshotId'],
    DryRun=False
)

Repeat the above steps for each unencrypted AMI found.

Note: Before running the script, make sure that you have the necessary permissions to create and delete EC2 AMIs.

Additional Reading:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

EC2 AMIs Should Be Encrypted

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: