Description:
Elastic Block Store is a web service that provides block-level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used as a hard drive.
Rationale:
EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Unencrypted EBS volumes mean the data stored in your AWS EBS volumes might be at risk of a potential security attack.
Impact:
With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes.
Default Value:
By default, EBS volumes are not encrypted.
Audit:
Log in to the AWS Management Console.
Go to EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on Volumes, in the navigation panel
Select the EBS volume you want to examine
Go to the Description tab at the bottom
Check the Encrypted section.
If you notice encryption is Not Encrypted it means the volume is not encrypted.
Using AWS CLI:
To describe a volume
aws ec2 describe-volumes \
--volume-ids vol-049df61146c4d7901 vol-1234567890abcdef0
Remediation:
Pre-requisites:
Sign in as an admin or IAM user with the required permissions
Take a snapshot of the volume as a backup
Implementation Steps:
Log in to the AWS Management Console.
Go to EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on Volumes, in the navigation panel.
Select EBS volume
Click on Actions and select create snapshot.
In the create snapshot page enter the details requires and click on create snapshot .
ick on Snapshots in the left navigation pane
- Select the snapshot that you just create.
- Click on Actions and select Create Volume.
- On create, volume page make sure Encryption is enabled and click on create volume button at the bottom .
- Go back to volumes by clicking on volumes in the left navigation pane
- Select the old unencrypted volume, Click on Actions, and select Detach Volume
- Select the volume you just created from the snapshot.
- Click on Actions and select Attach volumes.
- Enter the Instance ID that you want to attach this volume and click on Attach.
Using AWS CLI:
To enable EBS encryption by default
To enable EBS encryption by default
Backout plan:
In case of any data loss or corruption during the implementation process, you can get the data from the snapshot you created as a backup.
Log in to the AWS Management Console.
Go to EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on Snapshots in the left navigation pane
Click on Actions and select Create Volume
Using AWS CLI:
To disable EBS encryption by default
aws ec2 disable-ebs-encryption-by-default
Reference: