Amazon_EC2_15

Ensure all EBS Snapshot are Encrypted

Description

EBS volume snapshots hold sensitive and critical data and it should be encrypted to avoid loss of sensitive data.

Remediation

1. Sign in to the AWS Management Console.

2. Navigate to EC2 dashboard.

3. In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.

4. Select the unencrypted EBS snapshot that you want to encrypt.

5. Click the Actions dropdown button from the dashboard top menu and select Copy.

6. Inside Copy Snapshot dialog box, perform the following actions:

  1. From Destination region dropdown list, select the region where you want to write the copy of the snapshot.
  2. (Optional) Edit the snapshot copy description available within Description box.
  3. Check Encrypt this snapshot checkbox available next to Encryption. Select the Customer Master Key (CMK) to be used to encrypt the selected EBS snapshot from the Master Key dropdown list. If there are no custom KMS CMKs created within your account, you can use the default master key (i.e. (default) aws/ebs), a predefined key that protects your EBS snapshots when no other key is defined.
  4. Click Copy to confirm the action.

7. In the Copy Snapshot confirmation dialog box, click Snapshots (link) to go to the Snapshots page in the specified AWS region or choose Close to return to EC2 dashboard.

8. Now that your EBS volume snapshot is encrypted, you can safely delete the original (unencrypted) snapshot.

Service

EC2

Severity

Medium

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!