Free Assessment

Amazon_EC2_2

Ensure all EBS volumes are encrypted

Description

Elastic Block Storage (EBS) volumes can be encrypted using AWS Key Management Service (KMS). In this configuration, encryption and decryption are handled transparently and require no additional action from the user, an Amazon EC2 instance, or application. When an encrypted Amazon EBS volume is attached to a supported Amazon EC2 instance type,the data stored at rest on the volume, disk I/O, and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host Amazon EC2 instances.Additionally, snapshots of encrypted volumes are automatically encrypted, and volumes that are created from encrypted snapshots are also automatically encrypted. It is recommended that all EBS volumes be encrypted.

Remediation

Using the Amazon unified command line interface:

  • Note all the volume id’s of unencrypted EBS volumes and create a snapshot for each of them:
    aws ec2 create-snapshot –volume-id <unencrypted_ebs_volume> –description “Snapshot for encryption operation”
  • Note the SnapshotId element from the output of step 1 and copy the snapshot to an encrypted snapshot using the KMS key created for the Web-tier:
    aws ec2 copy-snapshot –source-region <application_region> –source-snapshot-id
    <unencrypted_ebs_snapshot> –description “Encrypted snapshot.” –encrypted –kms-key-
    id <web_tier_kms_key>
  • Note the SnapshotId element from the output of step 2 and create a new EBS volume from the encrypted snapshot in the same Availability Zone as the unencrypted volume:
    aws ec2 create-volume –availability-zone <application_az> –snapshot-id
    <encrypted_ebs_snapshot>
  • Tag the newly created EBS volume using the Volume Id from the previous step <encrypted_ebs_volume>:
    aws ec2 create-tags –resources <encrypted_ebs_volume> –tags Key= <web_tier_tag> ,Value= <web_tier_tag_value>
  • Delete unencrypted EBS volume:
    aws ec2 delete-volume –volume-id <unencrypted_ebs_volume>


References:

  1. https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-volumes.html
  2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_considerations
  3. https://docs.aws.amazon.com/cli/latest/reference/ec2/create-snapshot.html
  4. https://docs.aws.amazon.com/cli/latest/reference/ec2/copy-snapshot.html
  5. https://docs.aws.amazon.com/cli/latest/reference/ec2/create-volume.html
  6. https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-volume.html

Service

EC2

Severity

High

Compliance

Mapping

Want to Know More?

Learn how our partners are managing their cloud security and compliance with Cloudlytics.

I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.

Cloudlytics

Solutions

Resources

Company

Legal

Facebook Twitter Linkedin Youtube
Start Free Trial
Login

CLOSE

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!

Learn More