Use encrypted storage for instances that might host a database.
Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. Covered DBs include: couchbase, riak,redis, hbase, Oracle, SAP Hana, Postgres, cassandra, hadoop, Mongo, Neo4j and any server with DB, SQL, database or graph in name
Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.CRY.01
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
Instance where(name like '%-db%' ) or (name like '%_db%' ) or (name like '%db-%' ) or (name like '%db_%' ) or (name like '%database%' ) or (name like '%sql%' ) or (name like '%couchbase%' ) or (name like '%riak%' ) or (name like '%redis%' ) or (name like '%hbase%' ) or (name like '%oracle%' ) or (name like '%hana%' ) or (name like '%postgres%' ) or (name like '%cassandra%' ) or (name like '%hadoop%' ) or (name like '%mongo%' ) or (name like '%graph%' ) or (name like '%Neo4j%' ) should have volumes with [kmsKeyId and encrypted='true']
REMEDIATION
From Portal
- Sign in to the AWS Management Console and open the EC2 console at https://console.aws.amazon.com/ec2/.
- Create an EC2 instance with the where the names include - db, database, sql, couchbase, riak, redis, hbase, oracle, hana, postgres, cassandra, hadoop, mongo, graph, Neo4j
- Configure the filesystem on the instance(s) to be encrypted, using a key that is stored in a file on an S3 bucket (created for this purpose).
This involves creating an S3 bucket, with a permissions policy, creating & encrypting an encryption key and storing it in the bucket, and then configuring the instances to use the key to encrypt the filesystems, all from the AWS console. - Choose Save changes.
From TF
resource "aws_ebs_volume" "negative" {
+ encrypted = true
+ kms_key_id = "KMS-KEY-ID"
}
References
Amazon EC2 Instance
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Compliance Frameworks
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard CheckUp
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS GDPR Readiness
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago