57 lines
1.6 KiB
YAML
57 lines
1.6 KiB
YAML
id: unencrypted-aws-ami
|
|
info:
|
|
name: Unencrypted AWS AMI
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
Ensure Amazon Machine Images (AMIs) are encrypted to meet data-at-rest encryption compliance and protect sensitive data.
|
|
impact: |
|
|
Unencrypted AMIs can expose sensitive data to unauthorized access, risking data breaches and non-compliance with data protection regulations.
|
|
remediation: |
|
|
Encrypt your AMIs using AWS managed keys or customer-managed keys in the AWS Key Management Service (KMS) to ensure data security.
|
|
reference:
|
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
|
|
metadata:
|
|
max-request: 2
|
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
|
variables:
|
|
region: "us-east-1"
|
|
|
|
flow: |
|
|
code(1)
|
|
for(let AmiName of iterate(template.amis)){
|
|
set("ami", AmiName)
|
|
code(2)
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
aws ec2 describe-images --region $region --owners self --output json --query 'Images[*].ImageId'
|
|
|
|
extractors:
|
|
- type: json
|
|
name: amis
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
aws ec2 describe-images --region $region --image-ids $ami --query 'Images[*].BlockDeviceMappings[*].Ebs.Encrypted[]'
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "false"
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- 'ami + " AMI is not encrypted"'
|
|
# digest: 4a0a00473045022006b2a8f1493aca05a5bbb6dd85e177cfacec3cf7e380e0bdd32179719555a881022100f893098f309383eacc3b8fff8a3394101a3bd39897babe77b4ac0911555498ba:922c64590222798bb761d5b6d8e72950 |