Detections
Analytics

Ensure EBS Volume Encryption is Enabled in all Regions

HIGH

Description

Description:

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.

Rationale:

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.

Remediation

From Console:

  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/
  2. Under 'Account attributes', click 'EBS encryption'.
  3. Click 'Manage'.
  4. Click the 'Enable' checkbox.
  5. Click 'Update EBS encryption'
  6. Repeat for every region requiring the change.

Note: EBS volume encryption is configured per region.

From Command Line:

  1. Run

aws --region ec2 enable-ebs-encryption-by-default

  1. Verify that '"EbsEncryptionByDefault": true' is displayed.
  2. Repeat every region requiring the change.

Note: EBS volume encryption is configured per region.

Policy Details

Rule Reference ID: AC_AWS_0591
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_ebs_volume
Resource Category: Storage
Resource Type: Elastic Block Store (EBS)

Frameworks