Description: 

Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data.


Rationale:

Allowing unencrypted EBS Snapshots may aid an adversary in identifying weaknesses in the affected account's use or configuration or data on the server. It's best to configure the default key for EBS encryption for a Region so that the snapshots are automatically encrypted.


Impact:

If EBS Snapshots are not encrypted, unauthorized users may be able to access the server and use the snapshot to access the data. Also, ensure there are no EBS Snapshots set as Public. We can achieve the same by modifying the permissions of a snapshot, you can share it with the AWS accounts that you specify.


Default Value: 

By default, only Snapshots of encrypted volumes are encrypted.

 

Audit:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on snapshots, in the navigation panel

  4. Select EBS snapshot you want to examine

  5. Go to the Description tab in the bottom

  6. Check the Encryption section

    If you notice encryption is Not Encrypted it means snapshot is not encrypted.


Remediation:

Pre-requisites:

  • Sign in as admin or IAM user with required permissions

Implementation steps:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. Click on snapshots, in the navigation panel

  4. Select the snapshot you want to encrypt
  5. Click on Actions and select copy
  6. In the Copy snapshot page check the Encryption checkBox abd click on copy button
  7. Delete the old unencrypted snapshot 
  8. Select the unencrypted snapshot, click on Actions, and select Delete


Backout plan:

Once the snapshot is encrypted you can not be changed.


Reference:

Amazon EBS snapshots - Amazon Elastic Compute Cloud