Logo of Trend Micro

Enable Encryption for Unattached Disks

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that all your unattached Elastic Compute Service (ECS) disks are encrypted in order to meet security and compliance requirements. With encryption enabled, your ECS disks can hold sensitive, confidential, and critical data. The data encryption and decryption process is handled transparently and does not require any additional action from you, your server instance, or your application.

Security

When working with production data that is crucial to your business, it is strongly recommended to implement encryption in order to protect it from attackers or unauthorized personnel. After an Elastic Compute Service (ECS) data disk is encrypted, both data in transit and data at rest on the disk are encrypted. Snapshots created from encrypted disks, and new disks created from these snapshots are automatically encrypted. The keys used for data encryption are managed and protected by the Alibaba Cloud key management infrastructure through the Key Management Service (KMS).

Audit

To determine if data encryption is enabled for all unattached ECS data disks, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Storage & Snapshots, choose Disks.

04 Select the cloud region where your ECS disks reside from the top navigation bar.

05 Click on the ID (link) of the unattached disk that you want to examine. An unattached ECS disk has the attachment status set to Unattached in the Status column.

06 Select the Basic Information tab and check the Encrypted/Unencrypted attribute value to determine the encryption status for the selected resource. If the Encrypted/Unencrypted value is set to Unencrypted, data encryption is not enabled for the selected Elastic Compute Service (ECS) data disk.

07 Repeat steps no. 5 and 6 for each unattached ECS disk available in the selected cloud region.

08 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run DescribeDisks command (OSX/Linux/UNIX) with custom output filters to describe the configuration information available for each unattached ECS disk provisioned in the specified cloud region: 

aliyun ecs DescribeDisks --RegionId 'eu-west-1' --Status Available

02 The command output should return the requested configuration details (including the disk encryption information): 

{
	"Disks": {
		"Disk": [
			{
				"Encrypted": false,
				"Category": "cloud_essd",
				"CreationTime": "2024-02-23T12:08:02Z",
				"DeleteAutoSnapshot": false,
				"DeleteWithInstance": false,
				"DiskChargeType": "PostPaid",
				"DiskName": "tm-project-data-disk",
				"IOPS": 2040,
				
				...

				"InstanceId": "",
				"KMSKeyId": "",
				"MultiAttach": "Disabled",
				"PerformanceLevel": "PL0",
				"Portable": true,
				"RegionId": "eu-west-1",
				"Size": 40,
				"Type": "data",
				"ZoneId": "eu-west-1a"
			},
			{
				"Encrypted": false,
				"Category": "cloud_essd",
				"CreationTime": "2024-02-24T10:08:02Z",
				"DeleteAutoSnapshot": false,
				"DeleteWithInstance": false,
				"DiskChargeType": "PostPaid",
				"DiskName": "tm-project-llm-disk",
				"IOPS": 2040,
				
				...
				
				"InstanceId": "",
				"KMSKeyId": "",
				"MultiAttach": "Disabled",
				"PerformanceLevel": "PL0",
				"Portable": true,
				"RegionId": "eu-west-1",
				"Size": 40,
				"Type": "data",
				"ZoneId": "eu-west-1a"
			}
		]
	},
	"PageNumber": 2,
	"PageSize": 20,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 2
}

Check the "Encrypted" attribute value for each unattached ECS disk listed within the "Disk" array, returned by the DescribeDisks command output. If the "Encrypted" attribute value is set to false, the selected Elastic Compute Service (ECS) data disk is not encrypted.

03 Change the cloud region by updating the --RegionId command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable data encryption for all your unattached ECS data disks, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Storage & Snapshots, choose Disks.

04 Select the cloud region where your ECS disks reside from the top navigation bar.

05 Directly encrypting existing data disks isn't possible in Elastic Compute Service (ECS). To secure your data, you will need to manually copy it to a newly encrypted data disk. To create a new, encrypted ECS data disk, choose Create Disk, and perform the following actions:

  1. For Attach, select Not Attach.
  2. For Region and Zone, select the appropriate cloud region and availability zone.
  3. For Billing Method, choose the preferred billing method.
  4. For Storage, choose the disk category, size, and performance level. Select the Disk Encryption setting checkbox and choose the required KMS key from the setting dropdown list. To use the default Customer Master Key (CMK) provided by the ECS service, choose Default Service CMK. You can also use your own CMK to encrypt the data stored on the disk.
  5. For Terms of Service, select the ECS Terms of Service checkbox for confirmation.
  6. For Name, enter a unique name for the new data disk.
  7. For Description, provide a short description for the resource.
  8. Use the controls in the Tag section to apply key-value pairs to the new disk.
  9. Choose the appropriate resource group from the Resource Group dropdown list.
  10. Choose Preview and select Create to create your new, encrypted ECS data disk.

06 Copy your data to the newly encrypted ECS data disk.

07 (Optional) Choose the unencrypted data disk and select Release to delete the resource. Check I am aware of the disks and associated resources to be released and understand the related data risks and choose Confirm to confirm the release. Choose Close to return to the ECS console.

08 Repeat steps no. 5 - 7 for each unattached ECS disk that you want to encrypt, available in the selected cloud region.

09 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

Using Alibaba Cloud CLI

01 Directly encrypting existing data disks is not possible in Elastic Compute Service (ECS). To secure your data, you will have to manually copy it to a newly encrypted data disk. To create a new, encrypted ECS data disk run CreateDisk command (OSX/Linux/UNIX). To enable data encryption, set the --Encrypted parameter to true and use the --KMSKeyId parameter to specify the ID of the CMK that you want to use for data encryption: 

aliyun ecs CreateDisk
  --RegionId 'eu-west-1'
  --ZoneId 'eu-west-1a'
  --DiskName 'tm-project-encrypted-data-disk'
  --ResourceGroupId 'rg-abcdabcdabcdabcd'
  --DiskCategory cloud_essd
  --PerformanceLevel PL0
  --Size 40
  --Encrypted true
  --KMSKeyId 'abcd1234-abcd-1234-abcd-1234abcd1234'

02 The command output should return the ID of the new data disk: 

{
	"DiskId": "d-abcd1234abcd1234abcd",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"OrderId": "123456789012345"
}

03 Copy your data to the newly encrypted ECS data disk.

04 (Optional) Run DeleteDisk command (OSX/Linux/UNIX) to release the unencrypted ECS data disk: 

aliyun ecs DeleteDisk --DiskId 'd-12341234123412341234'

05 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

06 Repeat steps no. 1 - 5 for each unattached ECS disk that you want to encrypt, available in the selected cloud region.

07 Change the cloud region by updating the --RegionId command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 25, 2024

Related AlibabaCloud-ECS rules