Ensure that EC2 instance's volumes are encrypted
Ensures the security of both data at rest and data in transit between an EC2 Instance and its attached EBS volume.
Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.CRY.66
Category: Compute
GSL LOGIC
Instance should not have volumes contain [ encrypted=false ]
REMEDIATION
Note: The following instructions describe how to enable encryption by default. Encrypting attached EBS volumes requires further steps, please follow to the documentation for further instructions.
From Portal
- Go to 'EC2'
- In the upper-right corner, under 'Account attributes', select 'EBS encryption'
- Under 'EBS encryption', select 'Manage'
- Enable 'Always encrypt new EBS volumes'
- Press 'Update EBS encryption'
From TF
To enable EBS encryption by default for your AWS account, set the 'aws_ebs_encryption_by_default' block as following:
resource "aws_ebs_encryption_by_default" "ebs_encryption_by_default_example" {
enabled = true
}
From Command Line
To enable EBS encryption by default for your AWS account in the current region, use:
aws ec2 enable-ebs-encryption-by-default
References
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html
Amazon EC2 Instance
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- AWS Security Risk Management
Updated over 1 year ago