Detections
Analytics

Ensure at-rest data encryption is enabled for AWS EBS Root Block cluster

HIGH

Description

AWS ECS clusters attached to EBS block not encrypted can impact the confidentiality of data at-rest.

Remediation

At-rest encryption can be enabled on a replication group only when it is created. Because there is some processing needed to encrypt and decrypt the data, enabling at-rest encryption can have a performance impact during these operations. For more information on how to setup launch configurations, see the AWS documentation.

In Terraform -

  1. In the aws_launch_configuration resource, set the ebs_block_device.encrypted field to true.
  2. This will destroy existing launch configurations for autoscaling groups and deploy a new configuration. For more information, see the Terraform documentation.

References:
https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-launch-configuration.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration

Policy Details

Rule Reference ID: AC_AWS_0167
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_launch_configuration
Resource Category: Compute
Resource Type: Elastic Cloud Compute (EC2)

Frameworks