Products

Solutions

Company

Book A Live Demo

Rule: EBS Volume Encryption at Rest Should Be Enabled

This rule ensures that EBS volume encryption at rest is enabled to enhance data security.

Rule	EBS volume encryption at rest should be enabled
Framework	RBI Cyber Security Framework
Severity	✔ Low

Rule Description

The rule requires that EBS (Elastic Block Store) volume encryption at rest should be enabled to comply with the RBI (Reserve Bank of India) Cyber Security Framework. This ensures that sensitive data stored on EBS volumes is protected by encryption to prevent unauthorized access and data breaches.

Troubleshooting Steps

1.
Verify if EBS volume encryption at rest is enabled by default in your AWS account. If encryption is already enabled, no further action is needed.

2.
If encryption is not enabled, it may affect compliance with the RBI Cyber Security Framework. Proceed to the remediation steps for enabling encryption.

Remediation Steps

1. Identify EBS Volumes

List all existing EBS volumes in your AWS account to identify the volumes that require encryption. Run the following AWS CLI command:

aws ec2 describe-volumes

2. Enable Encryption

For each EBS volume that does not have encryption enabled, follow these steps to enable encryption:

Option A: Create a New Encrypted Volume (Recommended)

1.
Create a new encrypted volume as a replacement for the unencrypted volume. Run the following AWS CLI command, replacing
```
[EXISTING_VOLUME_ID]
```
and
```
[YOUR_KMS_KEY_ID]
```
with the appropriate values:

aws ec2 create-volume --encrypted --volume-type gp2 --size [EXISTING_VOLUME_SIZE] --availability-zone [EXISTING_VOLUME_AZ] --kms-key-id [YOUR_KMS_KEY_ID]

Ensure that the

[YOUR_KMS_KEY_ID]

is a Customer Master Key (CMK) from the AWS Key Management Service (KMS) and is compliant with the RBI Cyber Security Framework.

1.

Wait for the new encrypted volume to be created.

2.
Detach the existing unencrypted volume from the instance. Run the following AWS CLI command, replacing
```
[EXISTING_VOLUME_ID]
```
with the appropriate value:

aws ec2 detach-volume --volume-id [EXISTING_VOLUME_ID]

1.
Attach the newly created encrypted volume to the same instance, using the device name and ID of the previous volume. Run the following AWS CLI command, replacing
```
[NEW_VOLUME_ID]
```
,
```
[INSTANCE_ID]
```
,
```
[DEVICE]
```
, and
```
[EXISTING_VOLUME_ID]
```
with appropriate values:

aws ec2 attach-volume --volume-id [NEW_VOLUME_ID] --instance-id [INSTANCE_ID] --device [DEVICE]

Option B: Enable Encryption on Existing Volume

Note: This option may involve more downtime and potential data migration. Proceed with caution and ensure that you have a proper backup before starting.

1.
Create a snapshot of the existing unencrypted volume. Run the following AWS CLI command, replacing
```
[EXISTING_VOLUME_ID]
```
with the appropriate value:

aws ec2 create-snapshot --volume-id [EXISTING_VOLUME_ID]

1.

Wait for the snapshot to be created.

2.
Create a new encrypted volume from the snapshot. Run the following AWS CLI command, replacing
```
[SNAPSHOT_ID]
```
and
```
[YOUR_KMS_KEY_ID]
```
with the appropriate values:

aws ec2 create-volume --encrypted --volume-type gp2 --size [EXISTING_VOLUME_SIZE] --availability-zone [EXISTING_VOLUME_AZ] --snapshot-id [SNAPSHOT_ID] --kms-key-id [YOUR_KMS_KEY_ID]

1.

Wait for the new encrypted volume to be created.

2.
Detach the existing unencrypted volume from the instance. Run the following AWS CLI command, replacing
```
[EXISTING_VOLUME_ID]
```
with the appropriate value:

aws ec2 detach-volume --volume-id [EXISTING_VOLUME_ID]

1.
Attach the newly created encrypted volume to the same instance, using the device name and ID of the previous volume. Run the following AWS CLI command, replacing
```
[NEW_VOLUME_ID]
```
,
```
[INSTANCE_ID]
```
,
```
[DEVICE]
```
, and
```
[EXISTING_VOLUME_ID]
```
with appropriate values:

aws ec2 attach-volume --volume-id [NEW_VOLUME_ID] --instance-id [INSTANCE_ID] --device [DEVICE]

3. Verify Encryption

After enabling encryption on the EBS volumes, verify that encryption is enabled and working correctly. Run the following AWS CLI command, replacing

[NEW_VOLUME_ID]

with the appropriate value:

aws ec2 describe-volumes --volume-ids [NEW_VOLUME_ID] --query "Volumes[].{VolumeID:VolumeId, Encrypted:Encrypted}"

Ensure that the output shows

"Encrypted": true

for all the volumes.

Conclusion

By following the above steps, you ensure that EBS volume encryption at rest is enabled for compliance with the RBI Cyber Security Framework.

Rule: EBS Volume Encryption at Rest Should Be Enabled

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}1. Identify EBS Volumes

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}2. Enable Encryption

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Option A: Create a New Encrypted Volume (Recommended)

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Option B: Enable Encryption on Existing Volume

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}3. Verify Encryption

Is your System Free of Underlying Vulnerabilities? Find Out Now

1. Identify EBS Volumes

2. Enable Encryption

Option A: Create a New Encrypted Volume (Recommended)

Option B: Enable Encryption on Existing Volume

3. Verify Encryption

Is your System Free of Underlying Vulnerabilities?
Find Out Now