AWS Image Builder Distribution Configuration is not encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)
Description
This policy identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.
Code Example
go
resource "aws_imagebuilder_distribution_configuration" "pass" {
name = "example"
description = "non empty value"
distribution {
ami_distribution_configuration {
kms_key_id = aws_kms_key.fail.arn
ami_tags = {
CostCenter = "IT"
}
name = "example-{{ imagebuilder:buildDate }}"
launch_permission {
user_ids = ["123456789012"]
}
}
region = "us-east-1"
}
}Remediation
Terraform
- Resource: aws_imagebuilder_distribution_configuration
- Arguments: distribution.ami_distribution_configuration.kms_key_id
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0247 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_199 |