Ensure that the root block device has encryption enabled

With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Also it ensures that the data is encrypted and rest and during transit from EBS to EC2.

Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.CFT.CRY.10
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

AWS_EC2_Instance should have BlockDeviceMappings contain-all [ Ebs.Encrypted='true' ]

REMEDIATION

From CFT
Set Ebs.Encrypted to true in BlockDeviceMappings array for resource AWS::EC2::Instance

References

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  2. https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-root-volume-property/

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CloudFormation ruleset