Profile Applicability

  • Level 1

Description:

Amazon Elastic Block Store (EBS) provides block-level storage for EC2 instances. To ensure that data is securely stored, it is crucial to enable encryption for all EBS volumes. By default, new EBS volumes may not be encrypted unless explicitly configured. Enabling EBS volume encryption ensures that all data stored on the volume, as well as data in transit between the EC2 instance and the EBS volume, is encrypted using industry-standard encryption protocols. This reduces the risk of unauthorized access to sensitive data.

This control ensures that EBS volumes are encrypted in every AWS region to meet security requirements and compliance standards that mandate the encryption of sensitive data.

Rationale:

Enabling EBS volume encryption provides the following benefits:

  • Data protection: Ensures that sensitive data stored on EBS volumes is protected from unauthorized access through encryption at rest.

  • Compliance: Meets regulatory requirements for data encryption, including PCI-DSS, HIPAA, and others that mandate the encryption of stored data.

  • Security: EBS encryption protects the integrity of data stored on volumes, making it difficult for unauthorized users or attackers to access the data.

  • Automatic encryption: When enabled, EBS volumes are automatically encrypted, reducing the likelihood of unencrypted volumes being created by mistake.

Without encryption, data stored on EBS volumes can be exposed to unauthorized access, posing a significant security and compliance risk.

Impact:

Failure to enable EBS volume encryption in all regions can result in:

  • Unprotected data: EBS volumes without encryption store data in plaintext, making it vulnerable to unauthorized access.

  • Non-compliance: Violates security best practices and compliance requirements that mandate data encryption at rest.

  • Data breaches: Exposing sensitive data stored on EBS volumes increases the risk of data breaches and unauthorized access.

By ensuring encryption is enabled for all EBS volumes, sensitive data is protected in compliance with industry standards.

Default Value:

By default, EBS volumes are not encrypted unless explicitly configured to do so. AWS offers the option to enable encryption for all EBS volumes at the account level, but it must be manually configured to ensure encryption is enabled in every region.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • ec2:DescribeVolumes

    • ec2:ModifyVolume

    • ec2:CreateVolume

  • The AWS account must be set up with EBS encryption enabled for all regions.

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the EC2 Console.

  2. In the Elastic Block Store (EBS) section, select Volumes.

  3. Verify that all volumes are encrypted by checking the Encryption column.

  4. If any unencrypted volumes are found, ensure they are either deleted or encrypted manually.

Using AWS CLI:

aws ec2 describe-volumes --query "Volumes[].[VolumeId,Encrypted]" --output table

To verify if encryption is enabled for new volumes in all regions:

aws ec2 describe-availability-zones --query "AvailabilityZones[*].RegionName" --output table
Implementation Plan:

Using AWS Console:

  1. Enable EBS encryption for all new volumes:

    • Go to the EC2 Console.

    • In the EBS section, go to Settings and ensure EBS encryption is enabled for the account.

    • Set EBS encryption to automatically apply to all new EBS volumes across all regions.

  2. Encrypt existing unencrypted volumes:

    • Select any unencrypted EBS volumes and click Actions → Create Snapshot.

    • Create a snapshot of the unencrypted volume and then create a new volume from that snapshot with encryption enabled.

Using AWS CLI:

  1. Enable encryption for all new EBS volumes:

aws ec2 enable-ebs-encryption-by-default

  1. Encrypt existing unencrypted volumes:

aws ec2 create-snapshot --volume-id <volume-id> --description "Encrypted snapshot"
aws ec2 create-volume --snapshot-id <snapshot-id> --availability-zone <az> --encrypted --volume-type <volume-type>

  1. Verify encryption settings:

aws ec2 describe-volumes --query "Volumes[].[VolumeId,Encrypted]" --output table

Backout Plan:

Using AWS Console:

  1. If enabling EBS encryption causes access issues:

    • Go to the EC2 Console.

    • Remove the encryption settings for the affected volume and revert to the previous settings.

  2. Reconfigure the volume to be unencrypted if required, or review encryption keys to ensure compatibility with applications.

Using AWS CLI:

  1. Revert encryption settings:

aws ec2 modify-volume --volume-id <volume-id> --no-encrypted

  1. Stop instances using encrypted volumes to perform further troubleshooting if necessary.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services