Use encrypted storage for instances that might host a database.

Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. Covered DBs include: couchbase, riak,redis, hbase, Oracle, SAP Hana, Postgres, cassandra, hadoop, Mongo, Neo4j and any server with DB, SQL, database or graph in name

Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.CRY.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

Instance where(name like '%-db%' ) or (name like '%_db%' )  or (name like '%db-%' ) or (name like '%db_%' ) or (name like '%database%' ) or (name like '%sql%' ) or (name like '%couchbase%' ) or (name like '%riak%' )  or (name like '%redis%' )  or (name like '%hbase%' )  or (name like '%oracle%' )  or (name like '%hana%' ) or (name like '%postgres%' )  or (name like '%cassandra%' )   or (name like '%hadoop%' )  or (name like '%mongo%' )  or (name like '%graph%' )  or (name like '%Neo4j%' ) should have volumes with [kmsKeyId and encrypted='true']

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console and open the EC2 console at https://console.aws.amazon.com/ec2/.
  2. Create an EC2 instance with the where the names include - db, database, sql, couchbase, riak, redis, hbase, oracle, hana, postgres, cassandra, hadoop, mongo, graph, Neo4j
  3. Configure the filesystem on the instance(s) to be encrypted, using a key that is stored in a file on an S3 bucket (created for this purpose).
    This involves creating an S3 bucket, with a permissions policy, creating & encrypting an encryption key and storing it in the bucket, and then configuring the instances to use the key to encrypt the filesystems, all from the AWS console.
  4. Choose Save changes.

From TF

resource "aws_ebs_volume" "negative" {
	+ encrypted = true
	+ kms_key_id = "KMS-KEY-ID"
}

References

  1. https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset