This product is not supported for your selected
Datadog site. (
).
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Id: 97707503-a22c-4cd7-b7c0-f088fa7cf830
Cloud Provider: AWS
Platform: Ansible
Severity: Medium
Category: Encryption
Learn More
Description
AMIs must have their block device mappings encrypted to protect data at rest and prevent sensitive information from being exposed if snapshots are copied, shared, or recovered on different storage.
For Ansible tasks using the amazon.aws.ec2_ami or ec2_ami modules, each entry in the device_mapping must include encrypted: true. Resources missing the encrypted attribute or with encrypted: false are flagged. Ensure every device mapping explicitly sets encrypted: true so AMI snapshots and derived volumes remain encrypted.
Secure configuration example:
- name: Create AMI with encrypted device mapping
amazon.aws.ec2_ami:
name: my-encrypted-ami
device_mapping:
- device_name: /dev/sda1
encrypted: true
Compliant Code Examples
- name: Basic AMI Creation
amazon.aws.ec2_ami:
instance_id: i-xxxxxx
device_mapping:
device_name: /dev/sda
encrypted: yes
wait: yes
name: newtest
tags:
Name: newtest
Service: TestService
Non-Compliant Code Examples
- name: Basic AMI Creation
amazon.aws.ec2_ami:
instance_id: i-xxxxxx
device_mapping:
device_name: /dev/sda
encrypted: no
wait: yes
name: newtest
tags:
Name: newtest
Service: TestService
- name: Basic AMI Creation2
amazon.aws.ec2_ami:
instance_id: i-xxxxxx
device_mapping:
device_name: /dev/sda
wait: yes
name: newtest
tags:
Name: newtest
Service: TestService
