Description: 

Elastic Block Store is a web service that provides block-level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used as a hard drive.

 

Rationale:

EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Unencrypted EBS volumes mean the data stored in your AWS EBS volumes might be at risk of a potential security attack. 

Impact:

With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes.

Default Value:

By default, EBS volumes are not encrypted.

Audit:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on Volumes, in the navigation panel

  4. Select the EBS volume you want to examine

  5. Go to the Description tab at the bottom

  6. Check the Encrypted section.


If you notice encryption is Not Encrypted it means the volume is not encrypted.


Using AWS CLI:

To describe a volume

aws ec2 describe-volumes \
--volume-ids vol-049df61146c4d7901 vol-1234567890abcdef0


Remediation:

Pre-requisites:

  • Sign in as an admin or IAM user with the required permissions

  • Take a snapshot of the volume as a backup 

Implementation Steps:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on Volumes, in the navigation panel.

  4. Select EBS volume

  5. Click on Actions and select create snapshot.

  6. In the create snapshot page enter the details requires and click on create snapshot .

  7. ick on Snapshots in the left navigation pane 

  8. Select the snapshot that you just create.
  9. Click on Actions and select Create Volume.
  10. On create, volume page make sure Encryption is enabled and click on create volume button at the bottom .
  11. Go back to volumes by clicking on volumes in the left navigation pane
  12. Select the old unencrypted volume, Click on Actions, and select Detach Volume
  13. Select the volume you just created from the snapshot.
  14. Click on Actions and select Attach volumes.
  15. Enter the Instance ID that you want to attach this volume and click on Attach.


Using AWS CLI:

To enable EBS encryption by default

To enable EBS encryption by default

Backout plan:

In case of any data loss or corruption during the implementation process, you can get the data from the snapshot you created as a backup.

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on Snapshots in the left navigation pane

  4. Click on Actions and select Create Volume

 

Using AWS CLI:

To disable EBS encryption by default

aws ec2 disable-ebs-encryption-by-default

Reference:

Amazon EBS encryption - Amazon Elastic Compute Cloud