Amazon_ECS_1
Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.
ECS can be launched using ECS Fargate launch type or EC2 Instance. ECS Fargate launch type pulls images from the Elastic Container Registry, which are transmitted over HTTPS and are automatically encrypted at rest using S3 server-side encryption. To encrypt data at rest for EC2 instances using EBS(Elastic Block Store) please follow the remediation steps below. Please note that existing EBS volumes or snapshots cannot be encrypted, but when you copy unencrypted snapshots, or restore unencrypted volumes, the resulting snapshots or volumes are encrypted. ECS remediation steps to encrypt new EBS volumes:
Select ‘ Create Volume ‘ There is no option to encrypt existing EBS volume. To encrypt new EBS volumes use the following steps to create a snapshot and encrypt the resulting new volume or snapshot using your default CMK:
Select your unencrypted volume
Select Actions Create Snapshot
When the snapshot is complete, select Snapshots under Elastic Block Store Select your newly created snapshot
You will notice that the normal Encryption option is set to True. Because the snapshot is itself encrypted, this cannot be modified. The volume now created from this snapshot will be encrypted References : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html https://aws.amazon.com/ecr/features/#Encryption</p
ECS can be launched using ECS Fargate launch type or EC2 Instance. ECS Fargate launch type pulls images from the Elastic Container Registry, which are transmitted over HTTPS and are automatically encrypted at rest using S3 server-side encryption. To encrypt data at rest for EC2 instances using EBS(Elastic Block Store) please follow the remediation steps below. Please note that existing EBS volumes or snapshots cannot be encrypted, but when you copy unencrypted snapshots, or restore unencrypted volumes, the resulting snapshots or volumes are encrypted. ECS remediation steps to encrypt new EBS volumes:
Select ‘ Create Volume ‘ There is no option to encrypt existing EBS volume. To encrypt new EBS volumes use the following steps to create a snapshot and encrypt the resulting new volume or snapshot using your default CMK:
Select your unencrypted volume
Select Actions Create Snapshot
When the snapshot is complete, select Snapshots under Elastic Block Store Select your newly created snapshot
You will notice that the normal Encryption option is set to True. Because the snapshot is itself encrypted, this cannot be modified. The volume now created from this snapshot will be encrypted References : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html https://aws.amazon.com/ecr/features/#Encryption
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.