Rule: Attached EBS volumes should have delete on termination enabled
This rule ensures that EBS volumes are set to delete when the associated instance is terminated.
| Rule | Attached EBS volumes should have delete on termination enabled |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Medium |
Attached EBS Volumes Should Have Delete on Termination Enabled for FFIEC Compliance
The Federal Financial Institutions Examination Council (FFIEC) guidelines mandate that data storage, including Amazon Elastic Block Store (EBS) volumes, should be securely managed and disposed of when no longer needed. To align with these guidelines, it is critical to ensure that EBS volumes attached to Amazon EC2 instances have the "delete on termination" attribute enabled. This setting ensures that the EBS volume is automatically deleted when the associated instance is terminated, preventing data leakage and maintaining compliance.
Description of the Rule
Enabling the "delete on termination" attribute for EBS volumes attached to EC2 instances ensures that no sensitive data persists on storage media that are no longer in use, thereby safeguarding data and adhering to FFIEC compliance standards.
When an EC2 instance is launched, each EBS volume that is attached to the instance contains an attribute that determines whether the volume is deleted or retained when the instance is terminated. The typical default for this attribute is set to "true" for the root device volume and "false" for additional volumes. However, to meet the FFIEC compliance, it is necessary to explicitly set this attribute to "true" for all EBS volumes.
Troubleshooting Steps
If an EBS volume is not correctly configured to delete on termination, follow these steps to troubleshoot and resolve the issue.
Checking the "Delete on Termination" Attribute
- 1.Use the AWS Management Console, AWS CLI, or an SDK to describe the EC2 instance and verify the "delete on termination" flag for each EBS volume.
- 2.If the flag is not set to "true," proceed to modify the settings.
Modifying the EBS Volume Attribute
Using AWS CLI
- 1.Identify the instance ID and the block device mapping for the EBS volume that requires modification.
- 2.Use the
command to update the "delete on termination" attribute:modify-instance-attribute
aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 --block-device-mappings "[{\"DeviceName\":\"/dev/sdf\",\"Ebs\":{\"DeleteOnTermination\":true}}]"
Replace
i-1234567890abcdef0/dev/sdfRemediation Step-by-Step Guide
Enabling "Delete on Termination" During Instance Launch
- 1.When launching a new EC2 instance from the AWS Management Console, expand the "Advanced Details" section in the "Configure Instance" step.
- 2.In the "Block Devices" section, edit each EBS volume and set the "Delete on Termination" flag to "true."
- 3.Launch the instance.
Using AWS CLI
To specify the "delete on termination" attribute during instance launch, include the block device mapping parameter with your
run-instancesaws ec2 run-instances --image-id ami-12345678 --count 1 --instance-type t2.micro --block-device-mappings "[{\"DeviceName\":\"/dev/sdm\",\"Ebs\":{\"VolumeSize\":12,\"DeleteOnTermination\":true}}]"
Adjust the
--image-id--count--instance-type--block-device-mappingsModifying an Existing Instance
- 1.Use the AWS Management Console or AWS CLI to modify the existing EBS volumes.
- 2.For each volume, update the "Delete on Termination" attribute as demonstrated in the above AWS CLI command.
- 3.Verify the changes by describing the EC2 instance attributes and checking the block device mappings.
Code for Automated Compliance Checking
You can create an automated policy that checks and enforces the "delete on termination" flag on EBS volumes using AWS Config rules or a custom lambda function.
Example AWS Config Rule
AWS Config allows you to create a custom rule that assesses whether your EBS volumes are compliant with the "delete on termination" policy. You can use AWS Config to continuously monitor and record configuration changes to your AWS resources.
By following these remediation steps and creating automated checks, organizations can ensure compliance with data management and disposal requirements set by the FFIEC, thereby protecting sensitive financial data.