Ensure that EC2 instance's custom AMI is encrypted at rest

Encrypting EC2 instance's custom AMI adds another layer of protection, keeping the asset compliant in terms of encryption at rest.

Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.CRY.67
Category: Compute


Instance where imageDetails.imageLocation regexMatch /^(?!amazon|aws-marketplace\/).+/ should not have imageDetails.blockDeviceMappings contain [ ebs.encrypted=false ]


From Portal

  1. Go to 'EC2 Dashboard'
  2. In the left menu, under 'Images', select 'AMIs'
  3. Select the unencrypted AMI
  4. Under 'Actions', select 'Copy AMI'
  5. Select and configure 'Encrypt EBS snapshots of AMI copy'
  6. Press 'Copy AMI'

From TF
To encrypt a copy of existing AMI, set the 'encrypted' argument under the 'aws_ami_copy' to 'true':

resource "aws_ami_copy" "ami_copy_example" {
	encrypted = true

From Command Line
To, use:

aws ec2 copy-image --source-image-id SOURCE-AMI-ID --source-region SOURCE-REGION --region OUTPUT-REGION --name NEW-AMI-NAME --encrypted


  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_copy
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/copy-image.html

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management