Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

AWS Config Rule for Web-Tier Encrypted Volumes

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure a managed Config rule for EBS encrypted volumes is created for your web tier. AWS Config tracks changes within your web-tier resources configuration and saves the recorded data to log files which can be useful for security and compliance audits or for troubleshooting. A managed Config rule is a predefined, customizable rule, that the Config service uses to evaluate whether your web-tier resources comply with common security best practices. This conformity rule assumes that all the AWS resources within your web tier (including AWS EBS volumes) are already tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be known and configured in the conformity rule settings, on the Cloud Conformity account dashboard.

Security

Evaluate the configuration of your web-tier EBS volumes in order to ensure that encryption at rest is enabled, as the required managed Config rule can determine how your EBS resources have been configured at a certain point in time and what relationships these had with other resources (e.g. KMS CMKs) available in the web tier.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.

Audit

To determine if there is a managed Config rule that checks if your web-tier EBS volumes are encrypted, available in your AWS account, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create AWS Config Rule for Web-Tier Encrypted Volumes conformity rule settings and copy the tag set defined for AWS resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/config/.

04 In the navigation panel, under AWS Config, click Rules.

05 Choose the AWS Config rule that you want to examine, then click on the pencil (edit) icon available in the Edit rule column.

06 On the Configure rule page, check the following configuration attributes:

  1. Managed rule name – the name of the AWS Lambda function that evaluates whether your AWS resources comply with the rule. For compliance, the value of this attribute should be set to "ENCRYPTED_VOLUMES".
  2. Scope of changes – the scope to constrain which resources trigger an evaluation for the selected rule. For compliance, the value of this configuration attribute should be set to "Tags".
  3. Resources by tag – the tags used to identify the AWS resources evaluated by the selected rule. For compliance, the tags defined for this attribute should match the ones copied at step no. 1, e.g. <web_tier_tag>:<web_tier_tag_value>.

07 Repeat step no. 5 and 6 to verify each Config rule created in the selected AWS region. If none of the AWS Config rules available within the selected region have the configuration attributes listed at step no. 6 set to compliant values, i.e. a. "ENCRYPTED_VOLUMES", b. "Tags" and c. <web_tier_tag>:<web_tier_tag_value>, there is no managed Config rule that checks if your web-tier EBS volumes are encrypted, available in the selected AWS region.

08 Change the AWS region from the navigation bar and repeat steps no. 5 – 7 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create AWS Config Rule for Web-Tier Encrypted Volumes conformity rule settings and copy the tag set defined for AWS resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-config-rules command (OSX/Linux/UNIX) using the tag name and value copied at the previous step as filtering parameters and custom query filters to describe the configuration information of the managed Config rule that checks if the web-tier EBS volumes, available in the selected AWS region, are encrypted (replace <web_tier_tag> and <web_tier_tag_value> with your own tag name and value): 

aws configservice describe-config-rules
	--region us-east-1
	--query "ConfigRules[?Source.SourceIdentifier == 'ENCRYPTED_VOLUMES']|[?Scope.TagKey == '<web_tier_tag>']|[?Scope.TagValue == '<web_tier_tag_value>']"

03 The command output should return the configuration details for the requested AWS Config rule: 

[]

If the describe-config-rules command output returns an empty array (i.e. []), as shown in the example above, there is no managed Config rule that checks if your web-tier EBS volumes are encrypted, available within the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 for other regions.

Remediation / Resolution

To create a managed AWS Config rule that periodically checks if your web-tier EBS volumes are encrypted, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/config/.

03 In the navigation panel, under AWS Config, click Rules.

04 Click Add rule button from the dashboard top menu to start the rule setup process.

05 Inside Filter by rule name, label or description box, type encrypted-volumes and press Enter.

06 Click on the predefined AWS Config rule returned from the filtering to edit its configuration parameters.

07 On the Configure rule page, change the following settings:

  1. (Optional) Change the predefined rule name and the description available in the Name and Description boxes.
  2. In the Trigger section, select Tags from the Scope of changes so that the rule can trigger the evaluation when the resources with the specified tags are created, changed, or deleted.
  3. For Resources by tag, provide the tag name and tag value used to identify the web-tier EBS volumes. These tags should match the ones defined in the conformity rule settings, on the Cloud Conformity account dashboard (e.g. <web_tier_tag>:<web_tier_tag_value>).
  4. (Optional) In the Rule Parameters section, for the kmsId parameter key, provide the ARN of the KMS key used to encrypt the web-tier EBS volumes.
  5. Click Save to apply the configuration changes and return to the AWS Config dashboard. The Config service will start now to evaluate the AWS resources against the new rule. After the evaluation completes, the Compliance status of the rule should change based on the evaluation results.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 if you need to create the required managed AWS Config rule in other AWS region.

Using AWS CLI

01 Define the configuration for the managed Config rule that checks if your web-tier EBS volumes are encrypted. Save the configuration information listed below to a JSON document named cc-config-rule-for-encrypted-volumes.json. The following configuration is used to create a managed rule named "encrypted-volumes", based on a predefined Lambda function named "ENCRYPTED_VOLUMES" that evaluates whether your web-tier EBS volumes, tagged with <web_tier_tag>:<web_tier_tag_value>, comply with the rule. (Optional) The ID of the web-tier KMS key used to encrypt the EBS volumes is identified by the ARN "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc": 

{
    "ConfigRuleName": "encrypted-volumes",
    "Description": "Checks whether the web-tier EBS volumes that are in an attached state are encrypted. Optionally, you can specify the ID of a web-tier KMS key used to encrypt the volumes.",
    "Source": {
        "Owner": "AWS",
        "SourceIdentifier": "ENCRYPTED_VOLUMES"
    },
    "Scope": {
        "TagKey": "<web_tier_tag>",
        "TagValue": "<web_tier_tag_value>"
    },
    "InputParameters": "{\"kmsId\":\"arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc\"}"
}

02 Run put-config-rule command (OSX/Linux/UNIX) using the configuration file defined at the previous step (i.e. cc-config-rule-for-encrypted-volumes.json) to create the necessary managed Config rule in the selected AWS region (the command does not produce an output): 

aws configservice put-config-rule
	--region us-east-1
	--config-rule file://cc-config-rule-for-encrypted-volumes.json

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 if you need to create the necessary managed AWS Config rule in other AWS region.

References

Publication date Mar 28, 2018

Related ConfigService rules