CloudWiki
Rules
Medium

Ensure EBS volumes are encrypted

Security & Compliance
APRA
MAS
NIST4
CIS
ISO 27001
PCI-DSS
HIPAA
NIST 800-53
HITRUST
GDPR
AWS Foundational Security Best Practices Controls
Description

To safeguard business-critical production data from unauthorized personnel or attackers, it is strongly recommended to implement encryption. Encryption at rest is a method to secure the data stored on Amazon Elastic Block Store (EBS) volumes, disk I/O, and snapshots by encrypting it. The keys used for encryption are managed and protected by Amazon Key Management Service (KMS), and the encryption algorithm utilized is AES-256. To meet security and compliance requirements, it is important to ensure that all Amazon EBS volumes are encrypted. With encryption enabled, sensitive, confidential, and critical data can be stored on EBS volumes. The encryption and decryption process is carried out transparently and does not require any additional action from you, your server instance, or your application.

Remediation

To ensure that all Amazon EBS volumes are encrypted, you can follow these steps:

  1. Log in to the AWS Management Console and navigate to the Amazon EC2 console.
  2. Identify the EBS volumes that are not encrypted.
  3. Stop the instances that are associated with the unencrypted EBS volumes.
  4. Create a snapshot of the unencrypted EBS volumes.
  5. Copy the snapshot to a new encrypted snapshot. During this process, you can enable encryption and specify the KMS key to use for encryption.
  6. Create a new encrypted EBS volume from the encrypted snapshot.
  7. Attach the new encrypted EBS volume to the instance.
  8. Start the instance.

After following these steps, the EBS volume will be encrypted, and data stored on the volume will be protected. Additionally, it is recommended to enable default encryption for all new EBS volumes created in the future. This can be done by creating a new KMS key or using an existing one and then setting up the default encryption for EBS volumes using the AWS Management Console or AWS CLI.

Enforced Resources
EBS Volume
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.