Rule: Attached EBS Volumes Should Have Encryption Enabled
This rule ensures that all attached EBS volumes are encrypted to enhance data security.
| Rule | Attached EBS volumes should have encryption enabled |
| Framework | AWS Audit Manager Control Tower Guardrails |
| Severity | ✔ Medium |
Attached EBS Volumes Should Have Encryption Enabled for AWS Audit Manager Control Tower Guardrails
Ensuring that Amazon Elastic Block Store (EBS) volumes attached to EC2 instances are encrypted is a critical aspect of securing data and maintaining compliance with industry standards and regulations. AWS Audit Manager and Control Tower provide governance with Guardrails to automate compliance checks and enforce policy adherence across your AWS environment.
Description of the Rule
AWS offers a managed set of guardrails, known as Mandatory and Strongly recommended guardrails. For secure data storage, one of the Strongly recommended guardrails is that all EBS volumes must be encrypted. Control Tower sets this up in landing zones, and AWS Audit Manager assesses the usage of EBS encryption for compliance with this rule, tracking if unencrypted EBS volumes are ever attached to an instance.
Encrypted EBS Volumes: Key Benefits
- Data protection: Encryption ensures data at rest security, safeguarding against unauthorized access.
- Compliance: Meets various compliance requirements for sensitive data, such as GDPR or HIPAA.
- Security best practices: Aligns with AWS security best practices and industry standards.
Troubleshooting Steps
If EBS volumes are found to be unencrypted, follow these troubleshooting steps to resolve the compliance issues:
Step 1: Identify Unencrypted EBS Volumes
Use AWS CLI or Management Console to list all volumes and check their encryption status. AWS CLI command to list all EBS volumes and their encryption status:
aws ec2 describe-volumes --query "Volumes[*].{ID:VolumeId,Encrypted:Encrypted}" --output table
Review the output and identify the volumes with
EncryptedStep 2: Create an Encrypted Snapshot of the Unencrypted Volume
Create a snapshot of the existing volume, then copy it with encryption.
AWS CLI commands to achieve this:
# Create a snapshot aws ec2 create-snapshot --volume-id <unencrypted-volume-id> --description "Snapshot for encryption" # Wait until the snapshot is completed and then copy it with encryption aws ec2 copy-snapshot --source-region <your-region> --source-snapshot-id <snapshot-id> --encrypted
Step 3: Create a New Encrypted EBS Volume from the Encrypted Snapshot
Create a new EBS volume from the encrypted snapshot.
aws ec2 create-volume --snapshot-id <encrypted-snapshot-id> --availability-zone <your-availability-zone> --encrypted
Step 4: Detach the Unencrypted Volume and Attach the Encrypted Volume
Attach the newly created encrypted volume to the instance, and then detach the unencrypted volume.
# Detach the existing unencrypted volume aws ec2 detach-volume --volume-id <unencrypted-volume-id> # Attach the new encrypted volume aws ec2 attach-volume --volume-id <encrypted-volume-id> --instance-id <instance-id> --device <device-name>
Step 5: Update the Automation and Monitoring Services
Ensure that any automation, such as CloudFormation templates or AWS Systems Manager documents, reflect the need to use encrypted volumes by default.
Remediation: Enforce EBS Volume Encryption by Default
To proactively prevent issues, enforce EBS encryption by default. Use the AWS Management Console or AWS CLI to modify the setting.
AWS CLI command to enable default EBS encryption:
aws ec2 enable-ebs-encryption-by-default
When default EBS encryption is enabled, all new EBS volumes created will be encrypted by default, helping to maintain compliance with the AWS Audit Manager Control Tower Guardrails without manual intervention.
Conclusion
By following these steps, you can remediate non-compliant EBS volumes and ensure encryption is enabled by default, aligning with the AWS Audit Manager Control Tower Guardrails for securing data and maintaining compliance. Remember to regularly audit your environment and update your processes to reflect encryption requirements. This approach not only optimizes the data security posture but is also SEO-friendly, as it provides direct, actionable information for developers and systems administrators aiming to meet compliance standards on AWS.