Description:

EBS is a cloud-based storage service provided by AWS, which work like hard drives or Volumes. It stores any type of data, including file systems. It is an easy to use, high performance, block-storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction-intensive workloads at any scale.

Rationale:

AWS gives the option to enable or disable the default encryption with this feature or option newly created EBS volumes to be created encrypted form, with the option to use the default key provided by AWS, or a key that you create.

This policy checks that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.

Impact:

It makes it easier and simpler for you to ensure that newly created volumes are created in encrypted form. It will not affect existing unencrypted volumes.

Default Value:

By default, Default Encryption is not enabled.  

Audit:

Step 1: Log in to AWS Management Console and go to EC2 Console at https://console.aws.amazon.com/ec2/.

Step 2: Click on EBS encryption on the right side of the Account attribute panel of the EC2 dashboard

Step 3:   In the EBS encryption we can see the default encryption is enabled or disabled. 








Via CLI Audit

To know EBS encryption by default is enabled or not

aws ec2 get-ebs-encryption-by-default

If EBS encryption by default is disabled output is: 

{
"EbsEncryptionByDefault": false
}

If EBS encryption by default is enabled output is: 

{
"EbsEncryptionByDefault": true
}

Remediation:

Pre-Requisite:

Before enabling encryption we need to know the following points:

  • Encryption by default is a Region-specific setting. If encryption is enabled for a Region, it can’t be disabled for individual volumes or snapshots in that Region.

  • After enabling encryption by default, you can launch an instance only if the instance type supports Amazon EBS encryption.

Implementation Steps:

Step 1: Log in to AWS Management Console and go to EC2 Console at https://console.aws.amazon.com/ec2/.

Step 2: Click on EBS encryption on the right side of the Account attribute panel of the EC2 dashboard

Step 3: In the EBS encryption click on the Manage button 

Step 4: Click on the check box to enable the Always encrypt new EBS volumes and select your Default encryption key 

Step 5: Click on the Update EBS encryption button

Via CLI

To enable EBS encryption by default

aws ec2 enable-ebs-encryption-by-default

Backout Plan

After the implementation, If any issue or problem follow the same implementation steps and uncheck the box and then click on Update EBS encryption.

Via CLI

To disable EBS encryption by default