Ensure EBS Volume Encryption is Enabled in all Regions

With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Also it ensures that the data is encrypted and rest and during transit from EBS to EC2.

Risk Level: High
Cloud Entity: Amazon Elastic Block Storage (EBS)
CloudGuard Rule ID: D9.AWS.CRY.61
Covered by Spectral: Yes
Category: Storage


Volume should have encrypted=true


From Portal

  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/
  2. Under Account attributes, click EBS encryption.
  3. Click Manage.
  4. Click the Enable checkbox.
  5. Click Update EBS encryption
  6. Repeat for every region requiring the change.

Note: EBS volume encryption is configured per region.

From TF
Set encrypted to true in the terraform file:

resource "aws_ebs_volume" "example_volume" {
	encrypted = true

From Command Line

  1. Run
aws --region REGION ec2 enable-ebs-encryption-by-default
  1. Verify that "EbsEncryptionByDefault": true is displayed.
  2. Repeat every region requiring the change.

Note: EBS volume encryption is configured per region.


  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  2. https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted

Amazon Elastic Block Storage (EBS)

Amazon Elastic Block Store (Amazon EBS) provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes offer the consistent and low-latency performance needed to run your workloads. With Amazon EBS, you can scale your usage up or down within minutes ��� all while paying a low price for only what you prov

Compliance Frameworks

  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset