Detections
Analytics

Ensure at-rest data encryption is enabled for AWS ECS clusters

LOW

Description

ECS cluster node root blocks can have encryption enabled at launch as a configuration that should be set prior to when the cluster nodes are built. Encryption is considered best practice and can help protect sensitive data; it is also often required by compliance regulations.

Remediation

At-rest encryption can be enabled on a replication group only when it is created. Because there is some processing needed to encrypt and decrypt the data, enabling at-rest encryption can have a performance impact during these operations. For more information on how to setup launch configurations, see the AWS documentation.

In Terraform -

  1. In the aws_launch_configuration resource, set the root_block_device.encrypted field to true.
  2. This will destroy existing launch configurations for autoscaling groups and deploy a new configuration. For more information, see the Terraform documentation.

References:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-launch-configuration.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration

Policy Details

Rule Reference ID: AC_AWS_0166
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_launch_configuration
Resource Category: Compute
Resource Type: Elastic Cloud Compute (EC2)

Frameworks