Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

AWS Config Rule for App-Tier Encrypted Volumes

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that a managed Config rule for Amazon EBS encrypted volumes is created for your app tier. AWS Config tracks changes within your app-tier resources configuration and saves the recorded data to log files on S3, logs that can be useful for security and compliance audits. A managed Config rule is a predefined and customizable rule that AWS Config uses to evaluate whether your app-tier resources (i.e. EBS volumes) comply with common security best practices. This conformity rule assumes that all the AWS resources available in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the conformity rule settings, on the Cloud Conformity account dashboard.

Security

Evaluate the configuration of your app-tier EBS volumes in order to ensure that encryption at rest is enabled, as the required managed Config rule can determine how your EBS resources have been configured at a certain point in time and what relationships these had with other resources available within the app tier.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To determine if there is a managed Config rule that checks if your app-tier EBS volumes are encrypted, available in your AWS account, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create AWS Config Rule for App-Tier Encrypted Volumes conformity rule settings and copy the tags defined for AWS resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the navigation panel, under AWS Config, click Rules.

05 Choose the AWS Config rule that you want to examine, then click on the pencil (edit) icon available in the Edit rule column.

06 On the Configure rule page, check the following configuration attributes:

  1. Managed rule name – the name of the AWS Lambda function that evaluates whether your AWS resources comply with the rule. For compliance, the value of this attribute should be set to "ENCRYPTED_VOLUMES".
  2. Scope of changes – the scope to constrain which resources trigger an evaluation for the selected rule. For compliance, the value of this configuration attribute should be set to "Tags".
  3. Resources by tag – the tags used to identify the AWS resources evaluated by the selected rule. For compliance, the tags defined for this attribute should match the ones copied at step no. 1, e.g. <app_tier_tag>:<app_tier_tag_value>.

07 Repeat step no. 5 and 6 to verify each Config rule created in the selected AWS region. If none of the AWS Config rules available within the selected region have the configuration attributes listed at step no. 6 set to compliant values, i.e. a. "ENCRYPTED_VOLUMES", b. "Tags" and c. <app_tier_tag>:<app_tier_tag_value>, there is no managed Config rule that checks if your app-tier EBS volumes are encrypted, available in the selected AWS region.

08 Change the AWS region from the navigation bar and repeat steps no. 5 – 7 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create AWS Config Rule for App-Tier Encrypted Volumes conformity rule settings and copy the tags defined for AWS resources within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-config-rules command (OSX/Linux/UNIX) using the tag name and value copied at the previous step as input parameters for query filters to describe the configuration information of the managed Config rule that checks if the app-tier EBS volumes, available in the selected AWS region, are encrypted (replace <app_tier_tag> and <app_tier_tag_value> with your own tags): 

aws configservice describe-config-rules
	--region us-east-1
	--query "ConfigRules[?Source.SourceIdentifier == 'ENCRYPTED_VOLUMES']|[?Scope.TagKey == '<app_tier_tag>']|[?Scope.TagValue == '<app_tier_tag_value>']"

03 The command output should return the configuration details for the requested AWS Config rule: 

[]

If the describe-config-rules command output returns an empty array (i.e. []), as shown in the example above, there is no managed Config rule that checks if your app-tier EBS volumes are encrypted, available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 for other regions.

Remediation / Resolution

To create a managed AWS Config rule that periodically checks if your app-tier EBS volumes are encrypted, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/config/.

03 In the navigation panel, under AWS Config, click Rules.

04 Click Add rule button from the dashboard top menu to start the rule setup process.

05 Inside Filter by rule name, label or description box, type encrypted-volumes and press Enter.

06 Click on the predefined AWS Config rule returned to edit its configuration parameters.

07 On the Configure rule page, change the following settings:

  1. (Optional) Change the predefined rule name and the description available in the Name and Description boxes.
  2. In the Trigger section, select Tags from Scope of changes. This will configure the rule to trigger the evaluation when the resources with the specified tags are created, changed, or deleted.
  3. For Resources by tag, provide the tag name and tag value used to identify the app-tier EBS volumes. These tags should match the ones defined in the conformity rule settings, on the Cloud Conformity dashboard (e.g. <app_tier_tag>:<app_tier_tag_value>).
  4. (Optional) In the Rule Parameters section, for the kmsId parameter key, provide the ARN of the KMS key used to encrypt the app-tier EBS volumes (if any).
  5. Click Save to apply the configuration changes and return to the AWS Config dashboard. The Config service will start now to evaluate the AWS resources against the new rule. After the evaluation completes, the Compliance status of the rule should change according to the evaluation results.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 if you need to create this managed AWS Config rule in other AWS region.

Using AWS CLI

01 Define the configuration for the managed Config rule that checks if your app-tier EBS volumes are encrypted. Save the configuration information described below to a JSON document named cc-config-rule-for-encrypted-volumes.json. The following configuration is used to create a managed rule named "encrypted-volumes", based on a predefined Lambda function named "ENCRYPTED_VOLUMES" that evaluates whether your app-tier EBS volumes, tagged with <app_tier_tag>:<app_tier_tag_value>, comply with the rule. (Optional) The ID of the app-tier KMS key used to encrypt the EBS volumes is identified by the ARN "arn:aws:kms:us-east-1:123456789012:key/bbbbaaaa-cccc-dddd-eeee-ccccbbbbaaaa": 

{
    "ConfigRuleName": "encrypted-volumes",
    "Description": "Checks whether the app-tier EBS volumes that are in an attached state are encrypted. Optionally, you can specify the ID of a app-tier KMS key used to encrypt the volumes.",
    "Source": {
        "Owner": "AWS",
        "SourceIdentifier": "ENCRYPTED_VOLUMES"
    },
    "Scope": {
        "TagKey": "<app_tier_tag>",
        "TagValue": "<app_tier_tag_value>"
    },
    "InputParameters": "{\"kmsId\":\"arn:aws:kms:us-east-1:123456789012:key/bbbbaaaa-cccc-dddd-eeee-ccccbbbbaaaa\"}"
}

02 Run put-config-rule command (OSX/Linux/UNIX) using the configuration file defined at the previous step to create the required managed Config rule in the selected AWS region (the command does not return an output): 

aws configservice put-config-rule
	--region us-east-1
	--config-rule file://cc-config-rule-for-encrypted-volumes.json

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 if you need to create this managed AWS Config rule in other AWS region.

References

Publication date Mar 28, 2018

Related ConfigService rules