Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.CRY.66
Covered by Spectral: No
Category: Compute

GSL LOGIC

Instance should not have volumes contain [ encrypted=false ]

REMEDIATION

Note: The following instructions describe how to enable encryption by default. Encrypting attached EBS volumes requires further steps, please follow to the documentation for further instructions.

From Portal

Go to 'EC2'
In the upper-right corner, under 'Account attributes', select 'EBS encryption'
Under 'EBS encryption', select 'Manage'
Enable 'Always encrypt new EBS volumes'
Press 'Update EBS encryption'

From TF
To enable EBS encryption by default for your AWS account, set the 'aws_ebs_encryption_by_default' block as following:

resource "aws_ebs_encryption_by_default" "ebs_encryption_by_default_example" {
	enabled = true
}

From Command Line
To enable EBS encryption by default for your AWS account in the current region, use:

aws ec2 enable-ebs-encryption-by-default

References

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST v11.0.0
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
AWS Security Risk Management
CloudGuard AWS All Rules Ruleset