Attached EBS volumes should be encrypted at-rest

For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses KMS keys when creating encrypted volumes and snapshots.

Risk Level: Medium
Cloud Entity: Amazon Elastic Block Storage (EBS)
CloudGuard Rule ID: D9.AWS.CRY.83
Covered by Spectral: No
Category: Storage

GSL LOGIC

Volume where state='attached' should have encrypted=true

REMEDIATION

From Portal
Use following steps to create a new, encrypted EBS volume:

  1. Navigate to EC2.
  2. Select the Region in which you would like to create your volume.
  3. In the navigation pane, select ELASTIC BLOCK STORE, Volumes.
  4. Select Create Volume.
  5. Select the desired values for Volume Type, Size, IOPS, Throughput, and Availability Zone.
  6. To encrypt the volume, select Encrypt this volume, and choose a CMK.
  7. Click Create Volume.

From TF
Ensure that an aws_ebs_volume resource has the encrypted field set to true

resource "aws_ebs_volume" "example" {
	encrypted = true
	# other required fields here
}

From Command Line

  1. Get a list of an instance volumes to see which are encrypted and unencrypted. Note the volume id and mount device for each unencrypted volume.
aws ec2 describe-volumes --filters Name=attachment.instance-id, Values=instance_id
  1. Create a snapshot of an unencrypted EBS volume and track the snapshot id that is returned.
aws ec2 create-snapshot --volume-id unencrypted_volume_id
  1. Make an encrypted copy of the snapshot you just created and get the new snapshot id.
aws ec2 copy-snapshot --region destination_region --source-region region_name --encrypted --source-snapshot-id snapshot_id
  1. Create a new EBS volume from the encrypted snapshot and get the new volume id.
aws ec2 create-volume --region region_name --availability-zone availability_zone --snapshot-id snapshot_id --volume-type gp2 --encrypted
  1. Stop the instance with the unencrypted EBS volume
aws ec2 stop-instance --instance-id instance_id
  1. Detatch the non-encrypted EBS volume
aws ec2 detach-volume --volume-id unencrypted_volume_id
  1. Attach the new encrypted EBS volume to the EC2 instance:
aws ec2 attach-volume --volume-id encrypted_volume_id --instance-id instance_id --device device_name
  1. Restart the instance:
aws ec2 start-instance --instance-id instance_id

References

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html
  3. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-volume.html

Amazon Elastic Block Storage (EBS)

Amazon Elastic Block Store (Amazon EBS) provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes offer the consistent and low-latency performance needed to run your workloads. With Amazon EBS, you can scale your usage up or down within minutes ��� all while paying a low price for only what you prov

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS ISO27001:2022
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset