Profile Applicability:

  • Level 1

Description:
Amazon Machine Images (AMIs) should utilize EBS encrypted snapshots to ensure that all data in the AMI is encrypted at rest. EBS (Elastic Block Store) encryption provides an additional layer of security for data stored on the disks of Amazon EC2 instances. When an AMI is created from an encrypted EBS snapshot, the AMI is also encrypted, protecting sensitive data in storage.

Rationale:
Ensuring that AMIs are encrypted is crucial for protecting sensitive data and meeting security compliance requirements. Encryption of AMIs prevents unauthorized access to data at rest, ensures confidentiality, and provides enhanced data protection. Additionally, it ensures that sensitive data on instances created from these AMIs is secure. Using EBS encryption is the AWS recommended practice for securing storage volumes, and it is important to extend this security to AMIs.

Impact:
 Pros:

  • Increased security of sensitive data by ensuring that it is encrypted at rest.

  • Compliance with security regulations that require encryption for data at rest.

  • Reduces the risk of data breaches or unauthorized access to EC2 instances created from unencrypted AMIs.

  • Simplifies auditing and compliance reporting by enforcing encryption.

Cons:

  • There may be some performance overhead associated with encryption, although AWS handles the encryption process efficiently.

  • Requires additional configuration and management to ensure all AMIs are encrypted.

Default Value:
 By default, AMIs created from unencrypted EBS snapshots will not be encrypted. It is important to configure AMIs to use encrypted snapshots, especially when they contain sensitive data.

Pre-requisites:

  • AWS IAM permissions to view and manage EC2 AMIs and EBS snapshots:
    ec2:DescribeImages, ec2:CopyImage, ec2:DeregisterImage, ec2:DescribeSnapshots, ec2:CreateSnapshot

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Management Console.

  2. In the left navigation pane, click Instances, then click AMIs under Images.

  3. For each AMI, check the Block Devices section in the Details tab.

    • Confirm that the AMI’s block devices are encrypted.

  4. If any AMI is not encrypted, refer to the Remediation section to encrypt the AMI.

Using AWS CLI:

  1. Run the following AWS CLI command to list AMIs that are not encrypted:

    aws ec2 describe-images --region us-east-1 --owner self --filter "Name=blockdevice-mapping.encrypted,Values=false" --query "Images[*].[ImageId]"

  2. If the command returns any non-encrypted AMIs, note them for remediation.

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. In the left pane, click AMIs under Images.

  3. Select the AMI that does not comply with the encryption policy.

  4. Click Actions and select Copy AMI.

    • Destination Region: Select the region where the AMI is currently located.

    • Name: Enter the new name for the AMI, following your organization’s naming convention.

    • Description: Enter a description for the AMI, ensuring it complies with your image policy.

    • Encryption: Select Encrypt target EBS snapshots.

  5. Click Copy AMI.

  6. Once the AMI has finished copying, verify that the new AMI is encrypted.

  7. Select the original AMI that does not comply and click Actions > Deregister to remove the old, non-compliant AMI.

Using AWS CLI:

  1. To copy an AMI with encrypted block devices, run:

    aws ec2 copy-image --name "<New_AMI_Name>" --source-image-id <Image-ID> --source-region <region> --encrypted

  2. Once the new AMI is copied and encrypted, deregister the old, unencrypted AMI:

    aws ec2 deregister-image --image-id <Image-ID>

Backout Plan:

Using AWS Console:

  1. If copying and encrypting the AMI causes issues, sign in to the AWS Management Console.

  2. Re-enable the original AMI if necessary by following the steps to copy and rename it again.

  3. Ensure that the re-encrypted AMI complies with the naming policy and encryption settings.

Using AWS CLI:

1. If the encryption process disrupts services, restore the previous AMI by copying it again without encryption:

aws ec2 copy-image --name "<Original_AMI_Name>" --source-image-id <Image-ID> --source-region <region>

2. Verify that the old AMI is restored, ensuring it is re-registered correctly:

aws ec2 describe-images --image-id <Image-ID>

References:

  1. AWS EC2: AMI Encryption Details

  2. AWS EC2: AMI Encryption Documentation

  3. AWS CLI: copy-image

  4. AWS CLI: deregister-image

CIS Controls:

Version

Control ID

Control Description

v8

3.11

Encrypt sensitive data at rest, including EBS volumes used for AMIs, to prevent unauthorized access to data at rest.

v7

14.8

Encrypt all sensitive information at rest using tools that require a secondary authentication mechanism to access, such as EBS encryption for AMIs.