More Info:

Amazon Machine Images (AMIs) should be encrypted to fulfill compliance requirements for data-at-rest encryption.

Risk Level

High

Address

Security

Compliance Standards

PCIDSS, HITRUST, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the EC2 AMIs Should Be Encrypted misconfiguration for AWS using AWS console:
  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 dashboard.
  3. In the left-hand navigation panel, click on the “AMIs” option.
  4. Select the AMI that needs to be encrypted.
  5. Click on the “Actions” button and select “Copy AMI”.
  6. In the “Copy AMI” wizard, select the region where the AMI will be copied and check the “Encrypt this image” option.
  7. Select the KMS key that will be used to encrypt the AMI, or create a new one.
  8. Click on the “Copy AMI” button to start the copy process.
  9. Once the copy process is complete, the new encrypted AMI will be available in the selected region.
  10. Repeat this process for all the unencrypted AMIs in your AWS account.
By following these steps, you can remediate the EC2 AMIs Should Be Encrypted misconfiguration for AWS using AWS console.

To remediate the misconfiguration “EC2 AMIs should be encrypted” in AWS using AWS CLI, follow the below steps:
  1. Open the AWS CLI on your local machine or EC2 instance and ensure that you have the necessary permissions to perform the remediation steps.
  2. List all the AMIs that are not encrypted using the following command: 
aws ec2 describe-images --filters "Name=block-device-mapping.volume-type,Values=gp2" "Name=state,Values=available" --query 'Images[*].{ID:ImageId,Name:Name,BlockDeviceMappings:BlockDeviceMappings}'
This command will list all the unencrypted AMIs in your AWS account.
  1. Create a new encrypted copy of the unencrypted AMI using the following command:
aws ec2 copy-image --source-image-id ami-xxxxxxxx --source-region us-west-2 --encrypted --region us-west-2
Replace the ami-xxxxxxxx with the ID of the unencrypted AMI that you want to encrypt.
  1. Once the new encrypted AMI is created, deregister the unencrypted AMI using the following command:
aws ec2 deregister-image --image-id ami-xxxxxxxx --region us-west-2
Replace the ami-xxxxxxxx with the ID of the unencrypted AMI that you want to deregister.
  1. Verify that the new encrypted AMI is available and working correctly.
  2. Repeat the above steps for all unencrypted AMIs in your AWS account.
By following these steps, you can remediate the misconfiguration “EC2 AMIs should be encrypted” in AWS using AWS CLI.
To remediate the misconfiguration of unencrypted EC2 AMIs in AWS using Python, you can follow the following steps:
  1. Import the required AWS SDKs and libraries:
import boto3
  1. Create an EC2 client object:
ec2 = boto3.client('ec2')
  1. Retrieve a list of all the EC2 instances:
instances = ec2.describe_instances()
  1. Loop through each instance and check if it has any unencrypted AMIs:
for instance in instances['Reservations']:
    for ami in instance['Instances'][0]['BlockDeviceMappings']:
        if not ami.get('Ebs', {}).get('Encrypted', False):
            # If the AMI is not encrypted, remediate it
  1. To remediate an unencrypted AMI, create a new encrypted copy of it:
response = ec2.create_image(
    InstanceId=instance['Instances'][0]['InstanceId'],
    Name='Encrypted AMI',
    Description='Encrypted copy of the original AMI',
    BlockDeviceMappings=[
        {
            'DeviceName': ami['DeviceName'],
            'Ebs': {
                'SnapshotId': ami['Ebs']['SnapshotId'],
                'VolumeType': ami['Ebs']['VolumeType'],
                'VolumeSize': ami['Ebs']['VolumeSize'],
                'Encrypted': True
            }
        }
    ],
    DryRun=False
)
  1. Delete the original unencrypted AMI:
response = ec2.deregister_image(
    ImageId=ami['Ebs']['SnapshotId'],
    DryRun=False
)
  1. Repeat the above steps for each unencrypted AMI found.
Note: Before running the script, make sure that you have the necessary permissions to create and delete EC2 AMIs.

Additional Reading: