Description: 

Elastic Block Store is a web service that provides block level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used like a hard drive.

 

If EBS Snapshots are not encrypted, unauthorized users may be able to access the server and use the snapshot to access the data. Also ensure there are no EBS Snapshots set as Public. We can achieve the same by modifying the permissions of a snapshot, you can share it with the AWS accounts that you specify.

 

Rationale:

Allowing unencrypted EBS Snapshots may aid an adversary in identifying weaknesses in the affected account's use or configuration or data on the server. Its best to configure the default key for EBS encryption for a Region so that the snapshots are automatically encrypted.

 

Remediation:

    To check a EBS Snapshot is encrypted using the console:

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
  2. Choose Snapshots in the navigation pane. 
  3. Select the snapshot and then Check if Snapshots are unencrypted, if unencrypted 
    • We need to copy the unencrypted snapshot and select the option to encrypt it
    • When you create an encrypted EBS resource, it is encrypted by your account's default key for EBS encryption unless you specify a different customer managed CMK in the volume creation parameters or the block device mapping for the AMI or instance.
  4. Choose Save.


Default Value: By default, EBS Snapshots are take the Default key for EBS encryption.

     To configure the default key for EBS encryption for a Region

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. From the navigation bar, select the Region.
  3. Choose Account Attributes, Settings.
  4. Choose Change the default key and then choose an available key.
  5. Choose Update.


Resources:

  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt