Description: 

Elastic Block Store is a web service that provides block-level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used as a hard drive.

 

Rationale:

EBS encrypts your volume with a data key using the industry-standard AES-256 algorithm. Unencrypted EBS volumes mean that data stored in your AWS EBS volumes might be at risk of a potential security attack.

 

Impact:

You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.

 

Default value:

Bu default, new EBS volumes aren't encrypted.


Audit:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. On the EC2 Dashboard, under Account Attributes, select EBS encryption 

  4. In the EBS encryption page check encryption is enabled or disabled


Remediation:

Pre-requisites:

  • Sign in as admin or IAM user with required permissions

Implementation steps:

  1. Log in to the AWS Management Console.

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2/

  3. On the EC2 Dashboard, under Account Attributes, select EBS encryption

  4. Click on manage on the EBS encryption page

  5. Check the Enable checkBox under Always encrypt new EBS volumes and provide key

  6. Click on Update EBS encryption


VIA CLI:

aws ec2 get-ebs-encryption-by-default


Backout plan:

To disable default encryption follow the implementation steps and uncheck the enable checkBox under Always encrypt new EBS volumes.

 

Note:

Encryption by default is a Region-specific setting. If encryption is enabled for a Region, it can't be disabled for individual volumes or snapshots in that Region.


Reference:

Amazon EBS encryption - Amazon Elastic Compute Cloud