Ensure that EC2 instance's volumes are encrypted

Ensures the security of both data at rest and data in transit between an EC2 Instance and its attached EBS volume.

Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.CRY.66
Covered by Spectral: No
Category: Compute


Instance should not have volumes contain [ encrypted=false ]


Note: The following instructions describe how to enable encryption by default. Encrypting attached EBS volumes requires further steps, please follow to the documentation for further instructions.

From Portal

  1. Go to 'EC2'
  2. In the upper-right corner, under 'Account attributes', select 'EBS encryption'
  3. Under 'EBS encryption', select 'Manage'
  4. Enable 'Always encrypt new EBS volumes'
  5. Press 'Update EBS encryption'

From TF
To enable EBS encryption by default for your AWS account, set the 'aws_ebs_encryption_by_default' block as following:

resource "aws_ebs_encryption_by_default" "ebs_encryption_by_default_example" {
	enabled = true

From Command Line
To enable EBS encryption by default for your AWS account in the current region, use:

aws ec2 enable-ebs-encryption-by-default


  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset