AMI not encrypted

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 97707503-a22c-4cd7-b7c0-f088fa7cf830

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Encryption

Learn More

Description

AMIs must have their block device mappings encrypted to protect data at rest and prevent sensitive information from being exposed if snapshots are copied, shared, or recovered on different storage.

For Ansible tasks using the amazon.aws.ec2_ami or ec2_ami modules, each entry in the device_mapping must include encrypted: true. Resources missing the encrypted attribute or with encrypted: false are flagged. Ensure every device mapping explicitly sets encrypted: true so AMI snapshots and derived volumes remain encrypted.

Secure configuration example:

- name: Create AMI with encrypted device mapping
  amazon.aws.ec2_ami:
    name: my-encrypted-ami
    device_mapping:
      - device_name: /dev/sda1
        encrypted: true

Compliant Code Examples

- name: Basic AMI Creation
  amazon.aws.ec2_ami:
    instance_id: i-xxxxxx
    device_mapping:
      device_name: /dev/sda
      encrypted: yes
    wait: yes
    name: newtest
    tags:
      Name: newtest
      Service: TestService

Non-Compliant Code Examples

- name: Basic AMI Creation
  amazon.aws.ec2_ami:
    instance_id: i-xxxxxx
    device_mapping:
      device_name: /dev/sda
      encrypted: no
    wait: yes
    name: newtest
    tags:
      Name: newtest
      Service: TestService
- name: Basic AMI Creation2
  amazon.aws.ec2_ami:
    instance_id: i-xxxxxx
    device_mapping:
      device_name: /dev/sda
    wait: yes
    name: newtest
    tags:
      Name: newtest
      Service: TestService