AWS Image Recipe EBS Disk are not encrypted using a Customer Managed Key (CMK)
Description
This policy identifies Image Recipe EBS Disks which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.
//=== Fix - Runtime //TBA
Code Example
go
resource "aws_imagebuilder_image_recipe" "pass2" {
block_device_mapping {
device_name = "/dev/xvdb"
ebs {
encrypted = true
kms_key_id = aws_kms_key.fail.arn
delete_on_termination = true
volume_size = 100
volume_type = "gp2"
}
}
component {
component_arn = aws_imagebuilder_component.fail.arn
}
name = "example"
parent_image = "arn:${data.aws_partition.current.partition}:imagebuilder:${data.aws_region.current.name}:aws:image/amazon-linux-2-x86/x.x.x"
version = "1.0.0"
}Remediation
//TBA
=== Fix - Buildtime
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0248 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_200 |