Description: 

Elastic Block Store is a web service that provides block-level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used as a hard drive.

 

Rationale:

EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Unencrypted EBS volumes mean that data stored in your AWS EBS volumes might be at risk of a potential security attack.

 

Impact:

With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes.


Default Value:

By default, EBS volumes are not encrypted.


Audit:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on Volumes, in the navigation panel

  4. Select EBS volume you want to examine

  5. Go to the Description tab in the bottom

  6. Check the Encrypted section

    If you notice encryption is Not Encrypted it means volume is not encrypted.


 

Remediation:

Pre-requisites:

  • Sign in as admin or IAM user with required permissions

  • Take a snapshot of the volume as a backup 

Implementation Steps:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on Volumes, in the navigation panel

  4. Select EBS volume 
  5. Click on Actions and select create snapshot
  6. In the create snapshot page enter the details requires and click on create snapshot
  7. Click on Snapshots in the left navigation pane
  8. Select the snapshot that you just create 
  9. Click on Actions and select Create Volume
  10. On create volume page make sure Encryption is enabled and click on create volume button at the bottom
  11. Go back to volumes by clicking on volumes in the left navigation pane
  12. Select the old unencrypted volume, Click on Actions, and select Detach Volume
  13. Select the volume you just created from the snapshot
  14. Click on Actions and select Attach volumes
  15. Enter the Instance ID that you want to attach this volume and click on Attach


Backout plan:

In case of any data loss or corruption during the implementation process, you can get the data from the snapshot you created as a backup.

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on Snapshots in the left navigation pane

  4. Click on Actions and select Create Volume


Reference:

Amazon EBS encryption - Amazon Elastic Compute Cloud