Profile Applicability:

  • Level 1

Description:

This control ensures that all Amazon Elastic Block Store (EBS) snapshots are encrypted to protect the data at rest. Encryption safeguards snapshot data against unauthorized access, ensuring that any volumes created from these snapshots remain secure. Encrypted snapshots also automatically encrypt any EBS volumes or copies made from them, maintaining end-to-end data protection.

Rationale:

EBS snapshots often contain full copies or backups of production data, including sensitive information. Unencrypted snapshots can expose confidential data if accessed by unauthorized users or if shared accidentally across accounts. Enabling encryption helps ensure compliance with CIS, SOC 2, ISO 27001, HIPAA, and GDPR, and enforces the principle of data confidentiality.

Impact:

  • Positive Impact: Ensures that sensitive backup data is protected against unauthorized access and that any future volumes derived from snapshots remain encrypted.

  • Negative Impact: Copying or converting existing unencrypted snapshots to encrypted ones may temporarily increase storage and I/O costs.


Default Value:

By default, EBS snapshots inherit the encryption status of the parent volume. If the volume was unencrypted, the resulting snapshot is also unencrypted. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSnapshots, ec2:CopySnapshot, ec2:ModifySnapshotAttribute, and kms:ListKeys.

  • Ensure that EBS Default Encryption is enabled for future snapshots and volumes.


Remediation:


Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Snapshots.

  3. In the snapshot list, check the Encryption column.

  4. Verify that each snapshot is marked as Encrypted.

  5. If any snapshot is listed as Not Encrypted, it is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Snapshots.

  2. Identify any unencrypted snapshot.

  3. To encrypt it, select the snapshot and choose Actions → Copy snapshot.

  4. In the copy configuration window:

    • Check the option Encrypt this snapshot.

    • Select a KMS key (either the default AWS-managed key or a customer-managed key).

  5. Click Copy snapshot to create an encrypted version.

  6. Once the encrypted copy is created and validated, delete the original unencrypted snapshot.

  7. Ensure that EBS Default Encryption is turned on to prevent future unencrypted snapshots.

Backout Plan:

Using AWS Console:

  1. If application processes depend on the original unencrypted snapshot, retain it temporarily until migration or encryption validation is complete.

  2. Restore access by re-creating volumes from the old snapshot if the encryption process impacts availability.

  3. After successful migration, delete unencrypted backups to eliminate risk.

References:

  • Amazon EBS Snapshot Encryption Documentation

  • AWS KMS Best Practices

  • AWS Security Best Practices Whitepaper