Description:
Snapshots are incremental backups, which means that only the blocks on the device that have changed since your most recent snapshot are saved. This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data.
Rationale:
Allowing unencrypted EBS Snapshots may aid an adversary in identifying weaknesses in the affected account's use, configuration, or data on the server. It's best to configure the default key for EBS encryption for a region so that the snapshots are automatically encrypted.
Impact:
If EBS snapshots are not encrypted, unauthorized users may be able to access the server and use the snapshot to access the data. Also, ensure there are no EBS snapshots set to public. We can achieve the same by modifying the permissions of a snapshot, and you can share it with the AWS accounts that you specify.
Default Value:
By default, only snapshots of encrypted volumes are encrypted.
Pre-requisites:
Sign in as admin or IAM user with required permissions
Remediation:
Test plan:
Log in to the AWS Management Console.
Go to EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on snapshots, in the navigation panel
Select the EBS snapshot you want to examine
Go to the Description tab at the bottom
Check the Encryption section
If you notice encryption is Not Encrypted it means snapshot is not encrypted.
Implementation steps:
Log in to the AWS Management Console.
Go to EC2 dashboard at https://console.aws.amazon.com/ec2/
Click on snapshots, in the navigation panel
- Select the snapshot you want to encrypt
- Click on Actions and select copy
- In the Copy snapshot page check the Encryption checkBox and click on copy button
- Delete the old unencrypted snapshot
- Select the unencrypted snapshot, click on Actions, and select Delete
Backout plan:
Once the snapshot is encrypted, it cannot be changed.
Reference:
Amazon EBS snapshots - Amazon Elastic Compute Cloud