Profile Applicability:

  • Level 1

Description:

This control ensures that all Amazon Elastic Block Store (EBS) volumes are encrypted to protect data at rest. EBS encryption helps secure the data stored on EC2 instances by using AWS Key Management Service (KMS) keys to encrypt both the volume data and all associated snapshots. Unencrypted EBS volumes expose sensitive information to potential unauthorized access if an instance or snapshot is compromised. 

Rationale:

Encrypting EBS volumes ensures that data is protected throughout its lifecycle — at rest, in transit between the instance and the volume, and in any created snapshots or backups. This reduces the risk of data exposure and helps meet compliance requirements such as CIS, SOC 2, ISO 27001, HIPAA, and GDPR. Enforcing encryption aligns with the principle of defense in depth and ensures that even if data is accessed without authorization, it remains unreadable. 

Impact:

  • Positive Impact: Strengthens data security by ensuring all stored information is encrypted using industry-standard AES-256 encryption, enhancing compliance and confidentiality.

  • Negative Impact: Existing unencrypted volumes must be recreated or migrated as encrypted, which may involve downtime during data transfer. 


Default Value:

By default, EBS encryption is disabled at the account level unless explicitly enabled under “EBS default encryption.” 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeVolumes, ec2:ModifyVolume, ec2:CreateSnapshot, ec2:CopySnapshot.
  • KMS must be enabled for encryption key management.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Volumes.

  3. In the list view, check the Encryption column for all volumes.

  4. If any volume shows “Not encrypted”, it is non-compliant.

  5. Optionally, use AWS Config or Security Hub to identify unencrypted volumes automatically across accounts and regions.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Volumes.

  2. For each unencrypted volume:

    • Stop the associated EC2 instance.

    • Create a snapshot of the unencrypted volume.

    • Go to Snapshots → Select snapshot → Actions → Copy snapshot.

    • In the copy options, select Encrypt this snapshot and choose an appropriate KMS key (default or custom).

    • Once the encrypted snapshot is created, use it to create a new encrypted volume.

    • Detach the unencrypted volume and attach the new encrypted one to the instance.

    • Start the instance and verify data accessibility.

  3. Optionally, enable EBS default encryption to ensure all future volumes are encrypted by default:

    • Go to EC2 → Settings → EBS encryption.

    • Click Manage and select Enable EBS encryption by default.

    • Choose the desired KMS key and click Save.

Backout Plan:

Using AWS Console:

  1. If issues arise after replacing an unencrypted volume, reattach the original unencrypted volume from its snapshot for recovery.
  2. Validate data integrity before deleting the unencrypted backups.


References: