Description:
Elastic Block Store is a web service that provides block-level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used as a hard drive.
Rationale:
EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Unencrypted EBS volumes mean that data stored in your AWS EBS volumes might be at risk of a potential security attack.
Impact:
With Amazon EBS encryption, you aren't required to build, maintain, and secure your key management infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes.
Default Value:
By default, EBS volumes are not encrypted.
Pre-requisites:
Sign in as admin or IAM user with required permissions
Take a snapshot of the volume as a backup
Remediation:
Test Plan:
Log in to the AWS Management Console.
Go to EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on Volumes, in the navigation panel
Select EBS volume you want to examine
Go to the Description tab at the bottom
Check the Encrypted section
If you notice encryption is Not Encrypted it means volume is not encrypted.
Using AWS CLI
To describe a volume
aws ec2 describe-volumes \ --volume-ids vol-049df61146c4d7901 vol-1234567890abcdef0
Implementation Steps:
Log in to the AWS Management Console.
Go to EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on Volumes, in the navigation panel
- Select EBS volume
- Click on Actions and select create a snapshot
- In the create snapshot page enter the details requires and click on create a snapshot
- Click on Snapshots in the left navigation pane
- Select the snapshot that you just create
- Click on Actions and select Create Volume
- On create volume page make sure Encryption is enabled and click on create volume button at the bottom
- Go back to volumes by clicking on volumes in the left navigation pane
- Select the old unencrypted volume, Click on Actions, and select Detach Volume
- Select the volume you just created from the snapshot
- Click on Actions and select Attach volumes
- Enter the Instance ID that you want to attach this volume and click on Attach
Using AWS CLI:
To enable EBS encryption by default
aws ec2 enable-ebs-encryption-by-default
Backout plan:
In case of any data loss or corruption during the implementation process, you can get the data from the snapshot you created as a backup.
Log in to the AWS Management Console.
Go to EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on Snapshots in the left navigation pane
Click on Actions and select Create Volume
Using AWS CLI:
To disable EBS encryption by default
aws ec2 disable-ebs-encryption-by-default
Reference:
Amazon EBS encryption - Amazon Elastic Compute Cloud