Logo of Trend Micro

Enable Encryption for VM Instance Disks

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the disks (system and data disks) attached to your ECS virtual machine instances are encrypted in order to meet security and compliance requirements. With encryption enabled, your ECS instance disks can hold sensitive, confidential, and critical data.

Security

When working with production and sensitive data, it is highly recommended to implement encryption in order to protect it from attackers or unauthorized personnel. After an ECS instance disk is encrypted, both data in transit and data at rest on the disk are encrypted. Snapshots created from encrypted disks, and new disks created from these snapshots are automatically encrypted. The keys used for data encryption are managed and protected by the Alibaba Cloud key management infrastructure through the Key Management Service (KMS).

Audit

To determine if data encryption is enabled for ECS instance system and data disks, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Instances & Images, choose Instances.

04 Select the cloud region where your VM instances reside from the top navigation bar.

05 Click on the ID (link) of the virtual machine (VM) instance that you want to examine and select the Cloud Disk tab to access the disks attached to the instance.

06 Click on the ID (link) of the system/data disk that you want to examine. The type of the ECS disk is listed in the Type column.

07 Select the Basic Information tab and check the Encrypted/Unencrypted attribute value to determine the encryption status for the selected resource. If the Encrypted/Unencrypted value is set to Unencrypted, data encryption is not enabled for the selected ECS instance disk.

08 Repeat steps no. 6 and 7 for each disk attached to the selected ECS instance.

09 Repeat steps no. 5 - 8 for each virtual machine (VM) instance deployed in the selected cloud region.

10 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run DescribeInstances command (OSX/Linux/UNIX) with custom output filters to describe the information available for each ECS virtual machine (VM) instance provisioned in the specified cloud region: 

aliyun ecs DescribeInstances --RegionId 'eu-west-1'

02 The command output should return the requested information (including the VM instance ID, i.e. "InstanceId" value): 

{
	"Instances": {
		"Instance": [
			{
				"InstanceId": "i-abcd1234abcd1234abcd",
				"HostName": "abcd1234abcd1234abcd1234",
				"ImageId": "aliyun_3_9_x64_20G_alibase_20231219.vhd",

				...

				"OSType": "linux",
				"RegionId": "eu-west-1",
				"ZoneId": "eu-west-1a"
			},
			{
				"InstanceId": "i-1234abcd1234abcd1234",
				"HostName": "1234abcd1234abcd1234abcd",
				"ImageId": "aliyun_3_9_x64_20G_alibase_20231219.vhd",

				...

				"OSType": "linux",
				"RegionId": "eu-west-1",
				"ZoneId": "eu-west-1a"
			}
		]
	},
	"NextToken": "",
	"PageNumber": 1,
	"PageSize": 20,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 2
}

03 Run DescribeDisks command (OSX/Linux/UNIX) using the ID of the virtual machine (VM) instance that you want to examine as the identifier parameter, to describe the configuration information available for each each disk attached to the selected VM instance: 

aliyun ecs DescribeDisks --RegionId 'eu-west-1' --InstanceId 'i-abcd1234abcd1234abcd'

04 The command output should return the requested configuration details (including the disk encryption information): 

{
	"Disks": {
		"Disk": [
			{
				"Category": "cloud_efficiency",
				"CreationTime": "2024-02-23T17:52:37Z",
				"DeleteAutoSnapshot": false,
				"DeleteWithInstance": true,
				"Device": "/dev/xvdb",
				"DiskChargeType": "PostPaid",
				"DiskId": "d-12341234123412341234",
				"EnableAutoSnapshot": true,
				"EnableAutomatedSnapshotPolicy": false,

				...

				"Encrypted": false,
				"InstanceId": "i-abcd1234abcd1234abcd",
				"MultiAttach": "Disabled",
				"Portable": true,
				"RegionId": "eu-west-1",
				"SerialNumber": "12341234123412341234",
				"Size": 40,
				"Type": "data",
				"Status": "In_use",
				"ZoneId": "eu-west-1a"
			},
			{
				"Category": "cloud_efficiency",
				"CreationTime": "2024-02-23T17:52:37Z",
				"DeleteAutoSnapshot": false,
				"DeleteWithInstance": false,
				"Device": "/dev/xvda",
				"DiskChargeType": "PostPaid",
				"DiskId": "d-abcdabcdabcdabcdabcd",
				"EnableAutoSnapshot": true,
				"EnableAutomatedSnapshotPolicy": false,

				...

				"Encrypted": false,
				"InstanceId": "i-abcd1234abcd1234abcd",
				"MultiAttach": "Disabled",
				"Portable": true,
				"RegionId": "eu-west-1",
				"Size": 40,
				"Type": "system",
				"Status": "In_use",
				"ZoneId": "eu-west-1a"
			}
		]
	},
	"PageNumber": 1,
	"PageSize": 20,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 2
}

Check the "Encrypted" attribute value for each attached ECS disk listed within the "Disk" array, returned by the DescribeDisks command output. If the "Encrypted" attribute value is set to false, the virtual machine (VM) instance disk is not encrypted.

05 Repeat steps no. 3 and 4 for each virtual machine (VM) instance deployed in the selected cloud region.

06 Change the cloud region by updating the --RegionId command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable data encryption for the system/data disks attached to your ECS instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Instances & Images, choose Instances.

04 Select the cloud region where your VM instances reside from the top navigation bar.

05 Directly encrypting disks attached to VM instances is not possible in Elastic Compute Service (ECS). Therefore, to enable disk encryption, you have to re-create the associated instance with the necessary encryption configuration. Click on the ID (link) of the virtual machine (VM) instance that you want to redeploy in order to enable data encryption.

06 Choose All Operations and select Create Custom Image under Disks and Images.

07 Provide a unique name for the custom image in the Image Name box, ensure that the correct Resource Group is selected, and choose OK to create your custom image.

08 In the left navigation panel, under Instances & Images, choose Images.

09 Select the newly created image and choose Copy image to create an encrypted copy of the image:

  1. For Copy Mode, choose Copy and Encrypt (Time-consuming).
  2. For Encryption Settings, specify the destination region and select the required KMS key. To use the default Customer Master Key (CMK) provided by the ECS service, choose Default Service CMK. Otherwise, you can use your own CMK to encrypt the image copy.
  3. For Custom Image Name, provide a unique name for your new image copy.
  4. Choose Confirm to create an encrypted copy of your image.

10 Once the image copy is available, choose Create Instance and follow the setup wizard to create a new VM instance from the encrypted image:

  1. For Billing Method choose the appropriate billing method.
  2. For Region select the same cloud region as the unencrypted instance.
  3. For Network and Zone, ensure that the correct VPC and availability zone are selected.
  4. For Instances & Images, select the same instance type as the unencrypted VM instance and ensure that your encrypted image is selected in the Image section.
  5. For Storage, ensure that both system and data disks are encrypted. (Optional) If required, configure automatic snapshot policies for instance disks and set the NAS file systems.
  6. For Bandwidths & Security Groups, choose whether to assign a public IPv4 address, select the security group used by the unencrypted instance, and configure the Elastic Network Interface (ENI) settings (optional).
  7. For Management, set the necessary logon credentials and apply tags (key-value pairs) for better resource management.
  8. Choose Advanced Settings (Optional), provide a unique name for your new instance in the Instance Name box, then configure any required advanced settings such asResource Group, Instance RAM Role, and Release Protection.
  9. On the summary panel, review the instance configuration settings, select the ECS Terms of Service checkbox, and choose Create Order to deploy your new virtual machine (VM) instance. The disks (system and data disks) attached to the new instance are now encrypted.
  10. In the confirmation box, choose Console to return to the ECS console.

11 Repeat steps no. 5 - 10 for each unencrypted ECS instance, available in the selected cloud region.

12 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

Using Alibaba Cloud CLI

01 Directly encrypting disks attached to VM instances is not possible in Elastic Compute Service (ECS). To enable disk encryption, you have to re-create the associated instance with the required encryption configuration. To get started, create a custom image from the unencrypted VM instance. Run CreateImage command (OSX/Linux/UNIX) to create a new ECS custom image: 

aliyun ecs CreateImage 
  --RegionId 'eu-west-1' 
  --ImageName 'tm-unencrypted-instance-image' 
  --InstanceId 'i-12341234123412341234'

02 The command output should return the ID of the new custom image: 

{
	"ImageId": "m-abcabcabcabcabcabcab",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Run CopyImage command (OSX/Linux/UNIX) to create an encrypted copy of your custom image. To enable data encryption, set the --Encrypted parameter to true and use the --KMSKeyId parameter to specify the ID of the CMK that you want to use for encryption: 

aliyun ecs CopyImage 
  --RegionId 'eu-west-1' 
  --ImageId 'm-abcabcabcabcabcabcab' 
  --DestinationImageName 'tm-encrypted-instance-image' 
  --DestinationRegionId 'eu-west-1' 
  --Encrypted true 
  --KMSKeyId '2c51c67d-f4b3-4e8f-ac1f-13da83bde08c'

04 The command output should return the ID of the encrypted image copy: 

{
	"ImageId": "m-12345678901234567890",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

05 Run CreateInstance command (OSX/Linux/UNIX) to create a new ECS instance from the encrypted image copy. The disks (system and data disks) attached to the new instance are now encrypted: 

aliyun ecs CreateInstance 
  --InstanceName 'tm-encrypted-instance' 
  --InstanceChargeType 'PostPaid' 
  --RegionId 'eu-west-1' 
  --ImageId 'm-12345678901234567890' 
  --InstanceType 'ecs.t6-c4m1.large' 
  --SecurityGroupId 'sg-abcdabcdabcdabcdabcd' 
  --VSwitchId 'vsw-1234abcd1234abcd1234a'

06 The command output should return the ID of the new, encrypted ECS instance: 

{
	"InstanceId": "i-abcdabcdabcdabcdabcd",
	"OrderId": "1234567890",
	"TradePrice": 0.016,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

07 Repeat steps no. 1 - 6 for each unencrypted ECS instance, available within the selected cloud region.

08 Change the cloud region by updating the --RegionId command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 25, 2024

Related AlibabaCloud-ECS rules