Ensure that EC2 instance's volumes are encrypted

Ensures the security of both data at rest and data in transit between an EC2 Instance and its attached EBS volume.

Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.CRY.66
Category: Compute

GSL LOGIC

Instance should not have volumes contain [ encrypted=false ]

REMEDIATION

Note: The following instructions describe how to enable encryption by default. Encrypting attached EBS volumes requires further steps, please follow to the documentation for further instructions.

From Portal

  1. Go to 'EC2'
  2. In the upper-right corner, under 'Account attributes', select 'EBS encryption'
  3. Under 'EBS encryption', select 'Manage'
  4. Enable 'Always encrypt new EBS volumes'
  5. Press 'Update EBS encryption'

From TF
To enable EBS encryption by default for your AWS account, set the 'aws_ebs_encryption_by_default' block as following:

resource "aws_ebs_encryption_by_default" "ebs_encryption_by_default_example" {
	enabled = true
}

From Command Line
To enable EBS encryption by default for your AWS account in the current region, use:

aws ec2 enable-ebs-encryption-by-default

References

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management