ECS Cluster At-Rest Encryption

Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.

Risk Level: High
Cloud Entity: Amazon Elastic Container Service - Cluster
CloudGuard Rule ID: D9.AWS.CRY.19
Category: Compute


EcsCluster where( not containerInstances isEmpty()) should have containerInstances with [ instance.volumes contain [ encrypted=true ] ]


From Portal
ECS can be launched using ECS Fargate launch type or EC2 Instance. ECS Fargate launch type pulls images from the Elastic Container Registry, which are transmitted over HTTPS and are automatically encrypted at rest using S3 server-side encryption. To encrypt data at rest for EC2 instances using EBS(Elastic Block Store), please follow the remediation steps below. Please note that existing EBS volumes or snapshots cannot be encrypted, but when you copy unencrypted snapshots, or restore unencrypted volumes, the resulting snapshots or volumes are encrypted.

ECS remediation steps to encrypt new EBS volumes:

  1. From within the AWS Management Console, select EC2.
  2. Under 'Elastic Block Store' select 'Volumes'.
  3. Select 'Create Volume'.
  4. Enter the required configuration for your Volume.
  5. Select the checkbox for 'Encrypt this volume'.
  6. Select the KMS Customer Master Key (CMK) to be used under 'Master Key'.
  7. Select 'Create Volume'.

There is no option to encrypt existing EBS volume. To encrypt new EBS volumes use the following steps to create a snapshot and encrypt the resulting new volume or snapshot using your default CMK:

  1. Select your unencrypted volume.
  2. Select 'Actions' and click on 'Create Snapshot'.
  3. When the snapshot is complete, select Snapshots under Elastic Block Store. Select your newly created snapshot.
  4. Select 'Actions' and Click on 'Create volume from snapshot'
  5. Check the box 'Encrypt this volume'
  6. Select the KMS key to use as required
  7. Click on Create Volume Copy, the volume now created from this snapshot will be encrypted.

From TF

resource "aws_ebs_volume" "example" {
	availability_zone = "ZONE_NAME"
	size = VALUE
	tags = {
		Name = "HelloWorld"
resource "aws_ebs_snapshot" "example_snapshot" {
	volume_id = VALUE
	tags = {
		Name = "HelloWorld_snap"

From Command Line

  1. Run below command to create a new encrypted volume
aws ec2 create-volume --volume-type VALUE --size VALUE --encrypted --kms-key-id KEY_ID --availability-zone VALUE
  1. Run following command to encrypt existing Amazon EBS volumes

a. Run create-snapshot command to create a new snapshot from the existing volume

aws ec2 create-snapshot --volume-id VALUE --description PUT_DESCRIPTION

b. Run copy-snapshot command to copy the EBS volume snapshot created during the previous steps.
Note: --encrypted parameter will encrypt the snapshot copy using default master key and --kms-key-id parameter will encrypt the snapshot with a customer-managed Customer CMK.

aws ec2 copy-snapshot --region REGION_NAME --source-region SOURCE_REGION_NAME --source-snapshot-id PUT_VALUE --encrypted

c. Run create-volume command to create a new EBS volume from the encrypted snapshot created during previous step.

aws ec2 create-volume --region REGION_NAME --volume-type VALUE --size VALUE --encrypted --kms-key-id KEY_ID --availability-zone VALUE --snapshot-id PUT_VALUE



Amazon Elastic Container Service - Cluster

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0