AWS AMI copying does not use a Customer Managed Key (CMK)
Description
This policy identifies AMI copies which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer-managed KMS Keys to encrypt your AMI copies data. It gives you full control over the encrypted data.
Code Example
go
resource "aws_ami_copy" "pass" {
name = "terraform-example"
description = "A copy of ami-xxxxxxxx"
source_ami_id = "ami-xxxxxxxx"
source_ami_region = "us-west-1"
encrypted = true #default is false
kms_key_id = aws_kms_key.copy.arn
tags = {
Name = "HelloWorld"
test = "failed"
}
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0284 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_236 |