Profile Applicability:
- Level 1
Description:
Elastic Compute Cloud (EC2) supports encryption at rest when using Elastic Block Store (EBS) volumes. While encryption is disabled by default, AWS provides an option to enforce EBS encryption when creating new volumes. Enabling EBS encryption by default ensures that all new EBS volumes created in your account are encrypted, providing data protection and compliance with security requirements.
Rationale:
Encrypting EBS volumes ensures that sensitive data stored at rest is protected from unauthorized access. If encryption is enabled by default, it reduces the likelihood of unintentional data exposure and mitigates the impact if encryption is ever compromised. By enforcing encryption at the EBS volume creation stage, AWS helps ensure that data is securely stored, reducing risks of data leaks or unauthorized access to critical data.
Impact:
Pros:
Increased security by ensuring that all EBS volumes are encrypted at rest.
Helps to meet compliance requirements that mandate data encryption, such as HIPAA, PCI-DSS, and GDPR.
Prevents unintentional exposure of sensitive data by ensuring encryption is enforced for all new volumes.
Cons:
Performance overhead: There could be slight performance impacts, though AWS has optimized encryption processes to minimize this.
Configuration complexity for regions where encryption is not enabled by default.
Default Value:
By default, EBS encryption is not enabled for new volumes. However, it can be configured per region to enable encryption for all newly created volumes.
Pre-requisites:
AWS IAM permissions to manage EBS volumes and EC2 instances:
ec2:DescribeAccountAttributes, ec2:ModifyAccountAttribute, ec2:EnableEbsEncryptionByDefault, ec2:DescribeImages
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, under Account attributes, click EBS encryption.
Ensure that Always encrypt new EBS volumes is enabled.
Review this setting across all regions where EBS volumes are used.
Using AWS CLI:
Run the following command to check if EBS encryption by default is enabled for your region:
aws ec2 get-ebs-encryption-by-default --region <region>
Verify that the response contains "EbsEncryptionByDefault": true.
Implementation Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, under Account attributes, click on EBS encryption.
Click Manage.
Select the Enable checkbox to enable default encryption for new EBS volumes.
Click Update EBS encryption to apply the change.
Repeat this process for each region where new EBS volumes need to be encrypted by default.
Using AWS CLI:
Run the following command to enable EBS encryption by default:
aws ec2 enable-ebs-encryption-by-default --region <region>
Verify the setting by running:
aws ec2 get-ebs-encryption-by-default --region <region>
Repeat this command for all regions requiring encryption for new EBS volumes.
Backout Plan:
Using AWS Console:
If enabling EBS encryption by default causes issues, log in to the EC2 Console.
Under EBS encryption, click Manage.
Uncheck the Enable checkbox to disable encryption for new volumes.
Click Update EBS encryption to revert the changes.
Using AWS CLI:
To disable EBS encryption by default, run the following command:
aws ec2 disable-ebs-encryption-by-default --region <region>
Verify the setting by running:
aws ec2 get-ebs-encryption-by-default --region <region>
References:
CIS Controls: