Rule: Attached EBS volumes should have encryption enabled
This rule ensures that attached EBS volumes have encryption enabled for enhanced security measures.
| Rule | Attached EBS volumes should have encryption enabled |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description
The rule requires that all attached Elastic Block Store (EBS) volumes should have encryption enabled in order to align with the standards specified by NIST Cybersecurity Framework (CSF) v1. Encryption adds an extra layer of protection to the data stored on these volumes, ensuring its confidentiality and integrity.
Troubleshooting Steps
If the EBS volumes attached to your system do not have encryption enabled, follow these troubleshooting steps:
- 1.
Identify unencrypted EBS volumes: Start by identifying the unencrypted EBS volumes in use. You can do this by checking the configuration settings of each volume or by using AWS CLI commands.
- 2.
Check encryption status: Verify the encryption status of each volume by examining its attributes. Ensure that the "encrypted" attribute is set to true.
- 3.
Check encryption default settings: Check if the default encryption setting is enabled for your AWS account. If not, it is recommended to enable it for new volumes automatically.
- 4.
Modify volume encryption: If you find any unencrypted EBS volumes, you will need to enable encryption for them. This can be done either through the AWS Management Console or via AWS CLI.
AWS CLI Commands
Here are the necessary AWS CLI commands to enable encryption for EBS volumes:
- 1.
To enable encryption for a specific volume:
$ aws ec2 modify-volume --volume-id <volume-id> --encryptedReplace
with the ID of the volume you want to encrypt.<volume-id> - 2.
To enable encryption for multiple volumes using a script:
$ volumes=(<volume-id-1> <volume-id-2> <volume-id-3>) $ for volume in "${volumes[@]}"; do $ aws ec2 modify-volume --volume-id $volume --encrypted $ doneReplace
,<volume-id-1>
, etc. with the IDs of the volumes you want to encrypt.<volume-id-2>
Remediation Steps
Follow these steps to remediate the issue and enable encryption for your EBS volumes:
- 1.
Identify unencrypted volumes: Use the previously mentioned troubleshooting steps to identify which EBS volumes are not encrypted.
- 2.
Modify volume encryption: Use the AWS CLI commands mentioned above to enable encryption for each unencrypted volume identified. Execute the commands either manually or by using a script for multiple volumes.
- 3.
Verify encryption status: After enabling encryption, use the AWS Management Console or CLI to verify that the "encrypted" attribute for each volume is set to true.
- 4.
Automate encryption for new volumes: Set the default encryption option in your AWS account to ensure that all new volumes are encrypted automatically.
By following these steps, you will ensure that all attached EBS volumes have encryption enabled in accordance with the NIST Cybersecurity Framework (CSF) v1.