Ensure EBS Volume Encryption is Enabled in all Regions
With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Also it ensures that the data is encrypted and rest and during transit from EBS to EC2.
Risk Level: High
Cloud Entity: Amazon Elastic Block Storage (EBS)
CloudGuard Rule ID: D9.AWS.CRY.61
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
Volume should have encrypted=true
REMEDIATION
From Portal
- Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/
- Under
Account attributes
, clickEBS encryption
. - Click
Manage
. - Click the
Enable
checkbox. - Click
Update EBS encryption
- Repeat for every region requiring the change.
Note: EBS volume encryption is configured per region.
From TF
Set encrypted to true in the terraform file:
resource "aws_ebs_volume" "example_volume" {
...
encrypted = true
...
}
From Command Line
- Run
aws --region REGION ec2 enable-ebs-encryption-by-default
- Verify that
"EbsEncryptionByDefault": true
is displayed. - Repeat every region requiring the change.
Note: EBS volume encryption is configured per region.
References
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
- https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted
Amazon Elastic Block Storage (EBS)
Amazon Elastic Block Store (Amazon EBS) provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes offer the consistent and low-latency performance needed to run your workloads. With Amazon EBS, you can scale your usage up or down within minutes ��� all while paying a low price for only what you prov
Compliance Frameworks
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CIS Foundations v. 2.0.0
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago