Description: 

Elastic Block Store is a web service that provides block-level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used as a hard drive.

 

Rationale:

EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Unencrypted EBS volumes mean that data stored in your AWS EBS volumes might be at risk of a potential security attack.

 

 Impact:

With Amazon EBS encryption, you aren't required to build, maintain, and secure your key management infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes.


Default Value:

By default, EBS volumes are not encrypted.


Pre-requisites:

  • Sign in as admin or IAM user with required permissions

  • Take a snapshot of the volume as a backup



Remediation:


Test Plan:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on Volumes, in the navigation panel

  4. Select EBS volume you want to examine

  5. Go to the Description tab at the bottom

  6. Check the Encrypted section

    If you notice encryption is Not Encrypted it means volume is not encrypted.


 Using AWS CLI

To describe a volume

aws ec2 describe-volumes \
    --volume-ids vol-049df61146c4d7901 vol-1234567890abcdef0


Implementation Steps:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on Volumes, in the navigation panel

  4. Select EBS volume 
  5. Click on Actions and select create a snapshot
  6. In the create snapshot page enter the details requires and click on create a snapshot
  7. Click on Snapshots in the left navigation pane
  8. Select the snapshot that you just create 
  9. Click on Actions and select Create Volume
  10. On create volume page make sure Encryption is enabled and click on create volume button at the bottom
  11. Go back to volumes by clicking on volumes in the left navigation pane
  12. Select the old unencrypted volume, Click on Actions, and select Detach Volume
  13. Select the volume you just created from the snapshot
  14. Click on Actions and select Attach volumes
  15. Enter the Instance ID that you want to attach this volume and click on Attach



Using AWS CLI:

To enable EBS encryption by default 

aws ec2 enable-ebs-encryption-by-default


Backout plan:

In case of any data loss or corruption during the implementation process, you can get the data from the snapshot you created as a backup.

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on Snapshots in the left navigation pane

  4. Click on Actions and select Create Volume



Using AWS CLI:

To disable EBS encryption by default

aws ec2 disable-ebs-encryption-by-default

 


Reference:

Amazon EBS encryption - Amazon Elastic Compute Cloud