> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# EC2 AMIs Should Be Encrypted

### More Info:

Amazon Machine Images (AMIs) should be encrypted to fulfill compliance requirements for data-at-rest encryption.

### Risk Level

High

### Address

Security

### Compliance Standards

PCIDSS, HITRUST, SOC2, NISTCSF

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step-by-step instructions to remediate the EC2 AMIs Should Be Encrypted misconfiguration for AWS using AWS console:

        1. Log in to the AWS Management Console.

        2. Navigate to the EC2 dashboard.

        3. In the left-hand navigation panel, click on the "AMIs" option.

        4. Select the AMI that needs to be encrypted.

        5. Click on the "Actions" button and select "Copy AMI".

        6. In the "Copy AMI" wizard, select the region where the AMI will be copied and check the "Encrypt this image" option.

        7. Select the KMS key that will be used to encrypt the AMI, or create a new one.

        8. Click on the "Copy AMI" button to start the copy process.

        9. Once the copy process is complete, the new encrypted AMI will be available in the selected region.

        10. Repeat this process for all the unencrypted AMIs in your AWS account.

        By following these steps, you can remediate the EC2 AMIs Should Be Encrypted misconfiguration for AWS using AWS console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "EC2 AMIs should be encrypted" in AWS using AWS CLI, follow the below steps:

        1. Open the AWS CLI on your local machine or EC2 instance and ensure that you have the necessary permissions to perform the remediation steps.

        2. List all the AMIs that are not encrypted using the following command:

        ```
        aws ec2 describe-images --filters "Name=block-device-mapping.volume-type,Values=gp2" "Name=state,Values=available" --query 'Images[*].{ID:ImageId,Name:Name,BlockDeviceMappings:BlockDeviceMappings}'
        ```

        This command will list all the unencrypted AMIs in your AWS account.

        3. Create a new encrypted copy of the unencrypted AMI using the following command:

        ```
        aws ec2 copy-image --source-image-id ami-xxxxxxxx --source-region us-west-2 --encrypted --region us-west-2
        ```

        Replace the `ami-xxxxxxxx` with the ID of the unencrypted AMI that you want to encrypt.

        4. Once the new encrypted AMI is created, deregister the unencrypted AMI using the following command:

        ```
        aws ec2 deregister-image --image-id ami-xxxxxxxx --region us-west-2
        ```

        Replace the `ami-xxxxxxxx` with the ID of the unencrypted AMI that you want to deregister.

        5. Verify that the new encrypted AMI is available and working correctly.

        6. Repeat the above steps for all unencrypted AMIs in your AWS account.

        By following these steps, you can remediate the misconfiguration "EC2 AMIs should be encrypted" in AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of unencrypted EC2 AMIs in AWS using Python, you can follow the following steps:

        1. Import the required AWS SDKs and libraries:

        ```python theme={null}
        import boto3
        ```

        2. Create an EC2 client object:

        ```python theme={null}
        ec2 = boto3.client('ec2')
        ```

        3. Retrieve a list of all the EC2 instances:

        ```python theme={null}
        instances = ec2.describe_instances()
        ```

        4. Loop through each instance and check if it has any unencrypted AMIs:

        ```python theme={null}
        for instance in instances['Reservations']:
            for ami in instance['Instances'][0]['BlockDeviceMappings']:
                if not ami.get('Ebs', {}).get('Encrypted', False):
                    # If the AMI is not encrypted, remediate it
        ```

        5. To remediate an unencrypted AMI, create a new encrypted copy of it:

        ```python theme={null}
        response = ec2.create_image(
            InstanceId=instance['Instances'][0]['InstanceId'],
            Name='Encrypted AMI',
            Description='Encrypted copy of the original AMI',
            BlockDeviceMappings=[
                {
                    'DeviceName': ami['DeviceName'],
                    'Ebs': {
                        'SnapshotId': ami['Ebs']['SnapshotId'],
                        'VolumeType': ami['Ebs']['VolumeType'],
                        'VolumeSize': ami['Ebs']['VolumeSize'],
                        'Encrypted': True
                    }
                }
            ],
            DryRun=False
        )
        ```

        6. Delete the original unencrypted AMI:

        ```python theme={null}
        response = ec2.deregister_image(
            ImageId=ami['Ebs']['SnapshotId'],
            DryRun=False
        )
        ```

        7. Repeat the above steps for each unencrypted AMI found.

        Note: Before running the script, make sure that you have the necessary permissions to create and delete EC2 AMIs.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html)
