Ensure default encryption is enabled for AWS EBS Volumes

HIGH

Description

Unencrypted AWS EBS Volumes may expose sensitive customer data.

Remediation

In AWS Console -

Sign in to AWS Console and go to the Amazon EC2 console.
Select the region from the navigation bar.
Select EC2 Dashboard from the navigation pane.
In the upper-right corner of the page, select Account Attributes, EBS encryption.
Select Manage.
For Default encryption key, select a symmetric customer managed key.
Select Update EBS encryption.

In terraform -

Create an aws_ebs_encryption_by_default resource, and set 'enabled' to 'true'.

References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default

Policy Details

Rule Reference ID: AC_AWS_0079

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_ebs_encryption_by_default

Resource Category: Storage

Resource Type: Elastic Block Store (EBS)

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0