Profile Applicability:

Level 1

Description:

Elastic Block Store (EBS) provides encryption at rest for Amazon EC2 instances. While EBS encryption is disabled by default, AWS allows users to enable encryption by default to ensure all newly created volumes are automatically encrypted using AWS Key Management Service (KMS) keys.

Rationale:

Encrypting data at rest ensures confidentiality and compliance by:

  • Reducing the risk of unauthorized access to sensitive data.

  • Preventing data exposure in the event of a security breach.

  • Aligning with compliance standards such as SOC 2, HIPAA, PCI DSS, and CIS Benchmark standards.

Impact:

  • Enabling default encryption affects only new EBS volumes. Existing volumes are not automatically encrypted.

  • Losing access to the KMS key used for encryption may result in data inaccessibility.

  • Additional permissions are required for instances and users accessing encrypted volumes.

Default Value:

  • EBS encryption is disabled by default for all AWS regions.

  • Users must enable encryption per region for all new EBS volumes.

Pre-Requisites:

  1. AWS CLI Installed (for command-line verification and remediation).

  2. IAM Permissions Required:

    • ec2:GetEbsEncryptionByDefault (for auditing).

    • ec2:EnableEbsEncryptionByDefault (for remediation).

  3. Access to AWS Management Console with permissions to modify EBS encryption settings.

  4. AWS Key Management Service (KMS) key for encryption (AWS-managed or customer-managed).


Remediation

Test Plan:

Using AWS Console

  1. Login to the AWS Management Console.

  2. Open the Amazon EC2 console: AWS EC2 Console.

  3. Under Account Attributes, click EBS encryption.

                 

  1. Verify that "Always encrypt new EBS volumes" displays Enabled.

               

  1. Repeat for each AWS region in use.

Implementation Steps:
Using AWS Console

  1. Login to the AWS Management Console.

  2. Open the Amazon EC2 console: AWS EC2 Console.



  3. Under Account Attributes, click EBS encryption.                          

  4. Click Manage.

               

  1. Check the Enable box to enable encryption for new EBS volumes.

  2. Click Update EBS encryption.

  1. Repeat for all AWS regions where encryption is not enabled.

Backout Plan:

If enabling EBS encryption causes issues:

  1. Disable EBS encryption for new volumes:

    aws --region <region-name> ec2 disable-ebs-encryption-by-default

  2. Verify encryption status:

    aws --region <region-name> ec2 get-ebs-encryption-by-default

  • Expected Output: "EbsEncryptionByDefault": false.

  1. Ensure existing encrypted volumes remain accessible.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

3.11

Encrypt sensitive data at rest on servers, applications, and databases.

CIS v7

14.8

Encrypt all sensitive information at rest with a secondary authentication mechanism.