Profile Applicability:

Level 2

Description:

AWS Fargate ephemeral storage is a temporary storage solution used by tasks running on Amazon ECS. By enabling encryption with customer-managed keys (CMKs) for this ephemeral storage, you ensure that the data is encrypted at rest using your own encryption keys, providing better control and compliance. This is essential for securing sensitive data and ensuring that it remains protected even in transient storage.

Rationale:

By default, AWS encrypts ephemeral storage using AWS-managed keys, but using customer-managed keys gives you full control over the encryption process. This allows you to define your own policies, rotate keys, and maintain compliance with stricter regulatory requirements. Ensuring that ephemeral storage is encrypted with CMKs helps meet security standards and protects your data against unauthorized access.

Impact:

Pros:

  • Enhanced Security: Customer-managed keys allow you to have full control over encryption, providing greater security for your data.

  • Compliance: Helps meet compliance requirements that mandate the use of customer-managed keys for encryption (e.g., PCI-DSS, HIPAA).

  • Key Management: You can define your own key rotation policies, enabling better management and security of encryption keys.

Cons:

  • Key Management Overhead: Managing and rotating customer-managed keys can require additional administrative effort.

  • Complexity: Setting up and configuring customer-managed keys for Fargate ephemeral storage involves several steps and requires correct IAM permissions.

Default Value:

By default, AWS Fargate ephemeral storage is encrypted with AWS-managed keys. To use customer-managed keys, you need to configure AWS Key Management Service (KMS) to create and manage the keys.

Pre-requisites:

  • IAM permissions to manage AWS KMS and ECS configurations.

  • A KMS key created in AWS Key Management Service (KMS) to use for encryption.

  • Access to AWS ECS and Fargate configurations.

Remediation:

Test Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to Key Management Service (KMS) and ensure that you have a customer-managed key (CMK) available.

    • If no key exists, create one by selecting Create Key and following the steps to define the key usage and policies.

  3. Navigate to ECS and select the Cluster and Task Definition you want to configure for Fargate.

  4. Edit the task definition, and under the Ephemeral Storage section, configure the Encryption setting to use your customer-managed key (CMK).

    • Select KMS Key ID and choose the CMK you created earlier.

  5. Save the task definition and redeploy the ECS task to apply the encryption settings.

  6. Verify that the Fargate task is using the CMK for ephemeral storage encryption by checking the task logs and configuration.

Using AWS CLI:

  1. List available KMS keys to identify the one you want to use for encryption: 

    aws kms list-keys


  2. To create a new KMS key, run: 

    aws kms create-key --description "Fargate Ephemeral Storage Encryption Key"

  3. After ensuring you have a CMK, create or update your ECS task definition to specify the CMK for ephemeral storage encryption: 

    aws ecs register-task-definition --family <task-family-name> --container-definitions '[{"name": "container-name", "image": "container-image", "ephemeralStorage": {"sizeInGiB": 20, "encryption": {"kmsKeyId": "<your-kms-key-id>"}}}]'

  4. Verify that the task definition is configured with the CMK by running: 

    aws ecs describe-task-definition --task-definition <task-definition-name>

  5. Redeploy the ECS task to ensure the new encryption settings are applied.

Implementation Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to KMS and ensure you have a customer-managed key.

    • If not, create a new key in KMS.

  3. Navigate to ECS and select the Task Definition.

  4. Under Ephemeral Storage, enable encryption and choose the customer-managed key (CMK).

  5. Save the task definition and redeploy the ECS service to apply the encryption settings.

  6. Verify that the encryption is applied correctly by checking the task definition and logs.

Using AWS CLI:

  1. Create a customer-managed key in KMS if not already done: 

    aws kms create-key --description "Fargate Ephemeral Storage Encryption Key"

  2. Register or update the ECS task definition to enable encryption using the customer-managed key: 

    aws ecs register-task-definition --family <task-family-name> --container-definitions '[{"name": "container-name", "image": "container-image", "ephemeralStorage": {"sizeInGiB": 20, "encryption": {"kmsKeyId": "<your-kms-key-id>"}}}]'

  3. Redeploy the ECS task and verify that encryption is working as expected: 

    aws ecs describe-task-definition --task-definition <task-definition-name>

Backout Plan:

Using the AWS Console:

  1. If there are issues with encryption or the task deployment, navigate to the ECS Console and select the Task Definition.

  2. Edit the task definition to disable encryption or change the key back to an AWS-managed key.

  3. Save the changes and redeploy the ECS task.

Using AWS CLI:

  1. To remove or modify the encryption settings, update the ECS task definition: 

    aws ecs register-task-definition --family <task-family-name> --container-definitions '[{"name": "container-name", "image": "container-image", "ephemeralStorage": {"sizeInGiB": 20, "encryption": {}}}]'

  2. Redeploy the ECS task and verify that the encryption settings are reverted.

References:

CIS Controls:

Version

Control ID

Control Description

v8

13.1

Ensure that sensitive data, including ephemeral storage data in AWS Fargate tasks, is encrypted using customer-managed keys (CMKs).

v7

14.4

Use customer-managed encryption keys (CMKs) for encrypting sensitive data in ephemeral storage for AWS Fargate tasks.