Profile Applicability:
- Level 1
Description:
Unused Elastic Block Store (EBS) volumes in your AWS account should be identified and removed if they are no longer required. EBS volumes that are unattached to EC2 instances still contain data, and it is crucial to prevent unauthorized access to this data. If these volumes are not needed for future use, they should be deleted to ensure the security of your environment and reduce unnecessary costs.
Rationale:
EBS volumes that are not attached to EC2 instances can still contain sensitive data. Leaving unused volumes in your environment poses a risk of accidental exposure or unauthorized access to that data. Removing these unused volumes ensures that:
Data privacy is maintained by preventing unauthorized access.
You minimize the risk of data leaks from abandoned volumes.
Unused resources are deleted, reducing the potential attack surface and saving on storage costs.
Impact:
Pros:
Reduced security risks by removing unused volumes that may contain sensitive data.
Cost optimization by ensuring that no unnecessary storage volumes incur costs.
Improved resource management by keeping the environment clean and free from unused resources.
Cons:
Data loss: Once a volume is deleted, the data on it is permanently lost unless a snapshot is taken beforehand.
Requires careful management to avoid accidental deletion of necessary volumes.
Default Value:
By default, unused EBS volumes remain in the account until explicitly deleted. These volumes may accrue storage costs even if they are not being actively used.
Pre-requisites:
AWS IAM permissions to view and delete EBS volumes:
ec2:DescribeVolumes, ec2:DeleteVolume
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
Under Elastic Block Store, click Volumes.
In the State column, sort by Available.
Identify the unused EBS volumes (those listed as Available) that are not attached to any EC2 instances.
Capture the list of these unused volumes for remediation.
Repeat the process across all regions to ensure no unused volumes are left.
Using AWS CLI:
Run the following command to list all EBS volumes that are not attached to any instances:
aws ec2 describe-volumes --filter Name=status,Values=available --query "Volumes[*].{ID:VolumeId}"Review the output, which will list all volumes that are currently in the Available state (i.e., not attached to any EC2 instance).
Implementation Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
Under Elastic Block Store, click Volumes.
In the State column, sort by Available to find all unused volumes.
Select the volume you wish to delete.
Click Actions, then select Delete volume.
Confirm the deletion by clicking Yes, Delete.
Repeat the process for other unused volumes as necessary.
Ensure this process is followed for all regions in use.
Using AWS CLI:
For each unused volume identified in the audit, run the following command to delete the volume:
aws ec2 delete-volume --volume-id <volume-id>
Repeat for any other unused volumes that need to be deleted.
Backout Plan:
Using AWS Console:
If the wrong volume is deleted, log in to the EC2 Console.
Navigate to Snapshots, create a snapshot of the deleted volume if you want to restore the data.
If no snapshot exists, restoring the volume directly is not possible. Ensure that snapshots are taken before deleting any volumes in the future.
Using AWS CLI:
If a volume was deleted by mistake, ensure that a snapshot was taken before deletion. If not, you can no longer restore the volume unless a snapshot exists.
If a snapshot was created, you can restore the deleted volume by copying the snapshot to a new volume:
aws ec2 create-volume --snapshot-id <snapshot-id> --availability-zone <az>
References:
CIS Controls: