Amazon_ECS_1

ECS Cluster At-Rest Encryption

Description

Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.

Remediation

ECS can be launched using ECS Fargate launch type or EC2 Instance. ECS Fargate launch type pulls images from the Elastic Container Registry, which are transmitted over HTTPS and are automatically encrypted at rest using S3 server-side encryption. To encrypt data at rest for EC2 instances using EBS(Elastic Block Store) please follow the remediation steps below. Please note that existing EBS volumes or snapshots cannot be encrypted, but when you copy unencrypted snapshots, or restore unencrypted volumes, the resulting snapshots or volumes are encrypted. ECS remediation steps to encrypt new EBS volumes:

  1. From within the AWS Management Console, select EC2.
  2. Under ‘ Elastic Block Store ‘ select ‘ Volumes ‘
  3. Select ‘ Create Volume ‘
  4. Enter the required configuration for your Volume.
  5. Select the checkbox for ‘ Encrypt this volume ‘
  6. Select the KMS Customer Master Key (CMK) to be used under ‘ Master Key ‘

Select ‘ Create Volume ‘ There is no option to encrypt existing EBS volume. To encrypt new EBS volumes use the following steps to create a snapshot and encrypt the resulting new volume or snapshot using your default CMK:

Select your unencrypted volume

Select Actions Create Snapshot

When the snapshot is complete, select Snapshots under Elastic Block Store Select your newly created snapshot

  1. Select Actions Copy
  2. Check the box for Encryption
  3. Select the CMK for KMS to use as required
  4. Click Copy
  5. Select the newly created snapshot
  6. Select Actions Create Volume

You will notice that the normal Encryption option is set to True. Because the snapshot is itself encrypted, this cannot be modified. The volume now created from this snapshot will be encrypted References : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html https://aws.amazon.com/ecr/features/#Encryption</p

ECS can be launched using ECS Fargate launch type or EC2 Instance. ECS Fargate launch type pulls images from the Elastic Container Registry, which are transmitted over HTTPS and are automatically encrypted at rest using S3 server-side encryption. To encrypt data at rest for EC2 instances using EBS(Elastic Block Store) please follow the remediation steps below. Please note that existing EBS volumes or snapshots cannot be encrypted, but when you copy unencrypted snapshots, or restore unencrypted volumes, the resulting snapshots or volumes are encrypted. ECS remediation steps to encrypt new EBS volumes:

  1. From within the AWS Management Console, select EC2.
  2. Under ‘ Elastic Block Store ‘ select ‘ Volumes ‘
  3. Select ‘ Create Volume ‘
  4. Enter the required configuration for your Volume.
  5. Select the checkbox for ‘ Encrypt this volume ‘
  6. Select the KMS Customer Master Key (CMK) to be used under ‘ Master Key ‘

Select ‘ Create Volume ‘ There is no option to encrypt existing EBS volume. To encrypt new EBS volumes use the following steps to create a snapshot and encrypt the resulting new volume or snapshot using your default CMK:

Select your unencrypted volume

Select Actions Create Snapshot

When the snapshot is complete, select Snapshots under Elastic Block Store Select your newly created snapshot

  1. Select Actions Copy
  2. Check the box for Encryption
  3. Select the CMK for KMS to use as required
  4. Click Copy
  5. Select the newly created snapshot
  6. Select Actions Create Volume

You will notice that the normal Encryption option is set to True. Because the snapshot is itself encrypted, this cannot be modified. The volume now created from this snapshot will be encrypted References : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html https://aws.amazon.com/ecr/features/#Encryption

Service

ECS

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!