Ensure that all Amazon Elastic Block Store (EBS) volumes created for the app tier are encrypted in order to meet security and compliance requirements. With encryption enabled, your app-tier EBS volumes can hold sensitive, confidential, and critical data. The encryption and decryption process is handled transparently and does not require any additional action from you, your EC2 instance, or your application. The encryption keys used to encrypt your app-tier EBS data are entirely managed by Amazon Key Management Service (KMS). This conformity rule assumes that all the AWS cloud resources created within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the app-tier tags must be configured in the rule settings, on your Conformity account console.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When working with application data that is crucial to your business, it is highly recommended to implement encryption at rest in order to protect your app-tier data from attackers or unauthorized personnel. With encryption enabled, the data stored on your app-tier Amazon EBS volumes, disk I/O, and volume snapshots is all encrypted.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the app tier.
Audit
To determine if all your app-tier EBS volumes are encrypted, perform the following actions:
Remediation / Resolution
To enable encryption at rest for your app-tier Amazon EBS volumes, perform the following operations:
References
- AWS Documentation
- Amazon EBS Volumes
- Amazon EBS Encryption
- Create an Amazon EBS volume
- Replace a volume using a previous snapshot
- Detach an Amazon EBS volume from a Linux instance
- Attach an Amazon EBS volume to an instance
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-volumes
- create-snapshot
- copy-snapshot
- create-volume
- create-tags
- detach-volume
- attach-volume
- CloudFormation Documentation
- Amazon Elastic Compute Cloud resource type reference
- Terraform Documentation
- AWS Provider