Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EBS Default Encryption Should Be Enabled

This rule ensures that EBS default encryption is enabled to enhance data security.

RuleEBS default encryption should be enabled
FrameworkAWS Foundational Security Best Practices
Severity
Medium

Rule Description

The rule states that EBS default encryption should be enabled for AWS Foundational Security Best Practices. EBS (Elastic Block Store) is a block storage service provided by AWS, and enabling default encryption ensures that data stored on EBS volumes is automatically encrypted at rest.

Enabling default encryption helps protect sensitive data and maintain compliance with security regulations. It ensures that even if someone gains unauthorized access to the underlying storage, the data is still encrypted and unreadable.

Troubleshooting Steps

If default encryption for EBS volumes is not enabled, you can follow these troubleshooting steps to enable it:

  2. 1.
    Check the current status of EBS default encryption for your AWS account by using the AWS CLI command:
aws ec2 describe-account-attributes --attribute-names defaultEncryptionEnabled
  2. 1.

    If the command output shows that defaultEncryptionEnabled is set to false, default encryption is not enabled.

  4. 2.

    To enable default encryption, you need to modify your account attributes using the AWS CLI:

aws ec2 modify-account-attribute --attribute-name defaultEncryptionEnabled --attribute-value true
  2. 1.
    After running the above command, verify the changes by running the describe-account-attributes command again. It should show that defaultEncryptionEnabled is set to true.

Code

In case you want to automate the process of enabling default encryption for EBS volumes, you can use the following AWS CLI command:

aws ec2 modify-account-attribute --attribute-name defaultEncryptionEnabled --attribute-value true

This command will enable default encryption for EBS volumes in your AWS account.

Remediation Steps

Follow these step-by-step instructions to enable default encryption for EBS volumes:

  2. 1.

    Open the AWS Management Console and navigate to the EC2 service.

  4. 2.

    In the EC2 Dashboard, click on "Account Attributes" under the "Account Attributes" section on the left-hand side of the page.

  6. 3.

    On the Account Attributes page, locate the "Default EBS Encryption" setting. If it is set to "Disabled," click on the "Edit" button.

  8. 4.

    In the Edit Attribute Value dialog box, select "Enable" for the Default EBS Encryption option.

  10. 5.

    Click on the "Save" button to save the changes.

  12. 6.

    After saving the changes, verify that default encryption is enabled by running the describe-account-attributes command using the AWS CLI:

aws ec2 describe-account-attributes --attribute-names defaultEncryptionEnabled

The output should now show that defaultEncryptionEnabled is set to "true," indicating that default encryption is enabled for EBS volumes.

By following these steps, you have successfully enabled default encryption for EBS volumes in your AWS account, meeting the AWS Foundational Security Best Practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now