Profile Applicability:

  • Level 1

Description:
 Elastic Block Store (EBS) supports encryption at rest to protect the data stored on EBS volumes. When an EBS snapshot is created, the snapshot’s data should be encrypted to ensure that sensitive information is protected from unauthorized access. EBS encryption ensures that the data in the snapshots is encrypted and protected by encryption keys, either managed by AWS (default) or by the customer.

Rationale:
 Encrypting EBS snapshots ensures that any data stored on them is protected from unauthorized access, preventing unintentional data exposure or breaches. When snapshots are not encrypted, they are at risk of being accessed by unauthorized entities. Encrypting EBS snapshots helps organizations comply with security and privacy regulations and ensures data confidentiality, especially in environments where sensitive information is stored.

Impact:
 Pros:

  • Increased security by ensuring sensitive data in EBS snapshots is encrypted.

  • Meets compliance requirements for data protection, such as HIPAA, PCI-DSS, GDPR, etc.

  • Prevents unauthorized access to data stored in snapshots.

Cons:

  • Performance overhead: While encryption is optimized by AWS, there may still be a minor performance impact due to the encryption and decryption processes.

  • Requires active management to ensure new snapshots are encrypted by default, particularly for unencrypted snapshots.

Default Value:
 EBS snapshots are not encrypted by default, but you can enable encryption during the snapshot creation process. For existing snapshots, they need to be copied and encrypted manually.

Pre-requisites:

  • AWS IAM permissions to manage EBS snapshots and their encryption:
     ec2:DescribeSnapshots, ec2:CopySnapshot, ec2:ModifySnapshotAttribute, ec2:DeleteSnapshot

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. Under Elastic Block Store, click on Snapshots.

  3. Select a snapshot to review.

  4. In the Description tab, verify that the Encryption setting is set to Encrypted.

    • If the snapshot is not encrypted, refer to the Remediation section to enable encryption.

Using AWS CLI:

  1. Run the following AWS CLI command to list all snapshots:

    aws ec2 describe-snapshots --owner-ids <account-number> --filter Name=status,Values=completed --query "Snapshots[*].{ID:SnapshotId}"

  2. For each snapshot, run the following command to check if it is encrypted:

    aws ec2 describe-snapshots --snapshot-id <snapshot-ID> --query "Snapshots[*].{Encrypt:Encrypted}"

  3. If the snapshot is not encrypted, proceed with remediation.

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. Under Elastic Block Store, click on Snapshots.

  3. Select the unencrypted snapshot.

  4. Click Actions, then Copy.

  5. In the Copy Snapshot dialog:

    • Set Destination Region.

    • Enter a Description for the new encrypted snapshot.

    • Check the Encryption box and choose the encryption key (either AWS default or a custom key).

  6. Click Copy.

  7. Once the new encrypted snapshot is created, go to the AMIs tab and Deregister the unencrypted snapshot to remove it from the list of available snapshots.

Using AWS CLI:

  1. To copy an unencrypted snapshot and set it to encrypted, run:

    aws ec2 copy-snapshot --source-region <region> --source-snapshot-id <snap-id> --description "New encrypted snapshot" --encrypted

  2. After the snapshot is copied and encrypted, confirm that the encryption is applied:

    aws ec2 describe-snapshots --snapshot-id <new-snapshot-id> --query "Snapshots[*].{Encrypt:Encrypted}"

  3. To delete the unencrypted snapshot, run:

    aws ec2 delete-snapshot --snapshot-id <old-snapshot-id>

Backout Plan:

Using AWS Console:

  1. If the encrypted snapshot causes issues, log in to the EC2 Console.

  2. Copy the original unencrypted snapshot again if needed, ensuring it’s restored to the original state.

  3. Revert to the original unencrypted snapshot and make sure that the data is intact.

Using AWS CLI:

  1. If issues arise, restore the original unencrypted snapshot by copying it again:

    aws ec2 copy-snapshot --source-region <region> --source-snapshot-id <snap-id> --description "Restored unencrypted snapshot" --no-encrypted

  2. Verify that the snapshot has been restored successfully and delete the encrypted copy if necessary:

    aws ec2 delete-snapshot --snapshot-id <encrypted-snapshot-id>

References:

  1. AWS EC2: EBS Snapshots

  2. AWS CLI: describe-snapshots

  3. AWS CLI: copy-snapshot

  4. AWS CLI: delete-snapshot

CIS Controls:

Version

Control ID

Control Description

v8

3.11

Encrypt sensitive data at rest on EBS snapshots, ensuring that all snapshots are protected by encryption to reduce the risk of unauthorized data access.

v7

14.8

Encrypt sensitive information at rest using EBS encryption, ensuring that all snapshots are properly encrypted for security and compliance.