Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon Elastic Block Store (EBS) Default Encryption is enabled for the AWS account. When default encryption is activated, all newly created EBS volumes, snapshots, and AMIs are automatically encrypted using either the default AWS-managed key or a customer-managed AWS Key Management Service (KMS) key. This ensures that data at rest remains protected without requiring manual encryption configuration.


Rationale:

Enabling EBS default encryption ensures that all data written to EBS volumes is encrypted by default, reducing the risk of accidental unencrypted storage of sensitive information. It simplifies compliance with security and privacy frameworks such as CIS, SOC 2, ISO 27001, HIPAA, and GDPR, while minimizing administrative overhead for encryption management.


Impact:

  • Positive Impact: Automatically enforces encryption for all new EBS resources, protecting sensitive data at rest and meeting compliance requirements.

  • Negative Impact: None significant, although performance may slightly vary depending on the instance type and encryption configuration.


Default Value:

By default, EBS encryption is not enabled at the account level. Volumes must be manually encrypted unless default encryption is activated.


Pre-Requisite:

  • IAM permissions required: ec2:GetEbsEncryptionByDefault, ec2:EnableEbsEncryptionByDefault, and kms:ListKeys.

  • An available AWS-managed or customer-managed KMS key for encryption.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Account Attributes → EBS encryption.

  3. Verify if Default encryption is set to Enabled.

  4. If it is set to Disabled, the account is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Account Attributes → EBS encryption.

  2. Click Manage.

  3. Select Enable encryption by default.

  4. (Optional) Choose a customer-managed KMS key if required; otherwise, use the AWS-managed key (aws/ebs).

  5. Save changes.

  6. Verify that all future EBS volumes and snapshots are automatically encrypted.

Backout Plan:

Using AWS Console:

  1. To disable default encryption (not recommended):

    • Go to EC2 → Account Attributes → EBS encryption.

    • Click Manage, then deselect Enable encryption by default.

  2. Note that disabling encryption will not affect existing encrypted volumes but may create new unencrypted volumes moving forward.

References:

  • Amazon EBS Encryption Documentation

  • AWS Security Best Practices Whitepaper

  • AWS KMS Best Practices