Description:
EBS is a cloud-based storage service provided by AWS, which work like hard drives or Volumes. It stores any type of data, including file systems. It is an easy to use, high performance, block-storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction-intensive workloads at any scale.
Rationale:
AWS gives the option to enable or disable the default encryption with this feature or option newly created EBS volumes to be created encrypted form, with the option to use the default key provided by AWS, or a key that you create.
This policy checks that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.
Impact:
It makes it easier and simpler for you to ensure that newly created volumes are created in encrypted form. It will not affect existing unencrypted volumes.
Default Value:
By default, Default Encryption is not enabled.
Audit:
Step 1: Log in to AWS Management Console and go to EC2 Console at https://console.aws.amazon.com/ec2/.
Step 2: Click on EBS encryption on the right side of the Account attribute panel of the EC2 dashboard
Via CLI Audit
To know EBS encryption by default is enabled or not
aws ec2 get-ebs-encryption-by-default
If EBS encryption by default is disabled output is:
{
"EbsEncryptionByDefault": false
}
If EBS encryption by default is enabled output is:
{
"EbsEncryptionByDefault": true
}
Remediation:
Pre-Requisite:
Before enabling encryption we need to know the following points:
Encryption by default is a Region-specific setting. If encryption is enabled for a Region, it can’t be disabled for individual volumes or snapshots in that Region.
After enabling encryption by default, you can launch an instance only if the instance type supports Amazon EBS encryption.
Implementation Steps:
Step 1: Log in to AWS Management Console and go to EC2 Console at https://console.aws.amazon.com/ec2/.
Step 2: Click on EBS encryption on the right side of the Account attribute panel of the EC2 dashboard
Step 3: In the EBS encryption click on the Manage button
Step 4: Click on the check box to enable the Always encrypt new EBS volumes and select your Default encryption key
Step 5: Click on the Update EBS encryption button
Via CLI
To enable EBS encryption by default
aws ec2 enable-ebs-encryption-by-default
Backout Plan
After the implementation, If any issue or problem follow the same implementation steps and uncheck the box and then click on Update EBS encryption.
Via CLI
To disable EBS encryption by default
aws ec2 disable-ebs-encryption-by-default