Use the Conformity Knowledge Base AI to help improve your Cloud Posture

App-Tier EBS Encrypted

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EBS-013

Ensure that all Amazon Elastic Block Store (EBS) volumes created for the app tier are encrypted in order to meet security and compliance requirements. With encryption enabled, your app-tier EBS volumes can hold sensitive, confidential, and critical data. The encryption and decryption process is handled transparently and does not require any additional action from you, your EC2 instance, or your application. The encryption keys used to encrypt your app-tier EBS data are entirely managed by Amazon Key Management Service (KMS). This conformity rule assumes that all the AWS cloud resources created within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the app-tier tags must be configured in the rule settings, on your Conformity account console.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When working with application data that is crucial to your business, it is highly recommended to implement encryption at rest in order to protect your app-tier data from attackers or unauthorized personnel. With encryption enabled, the data stored on your app-tier Amazon EBS volumes, disk I/O, and volume snapshots is all encrypted.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the app tier.


Audit

To determine if all your app-tier EBS volumes are encrypted, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Enable Encryption for App-Tier Volumes conformity rule settings, and copy the tag set defined for the AWS cloud resources provisioned within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under ELASTIC BLOCK STORE, click Volumes.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>), and press Enter. This filtering technique will return only the Amazon EBS volumes tagged for the app tier. If no results are returned, there are no app-tier EBS volumes provisioned within the current AWS region and the Audit process ends here. If one or more EBS volumes are returned, continue the Audit process with the next step.

06 Select the app-tier Amazon EBS volume that you want to examine.

07 Choose the Description tab from the console bottom panel and check the Encryption attribute value. If the Encryption attribute value is set to Not Encrypted, the selected app-tier EBS volume is not encrypted at rest.

08 Repeat steps no. 6 and 7 for each app-tier EBS volume available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and perform the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Enable Encryption for App-Tier Volumes conformity rule settings, and copy the tag set defined for the AWS cloud resources provisioned within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-volumes command (OSX/Linux/UNIX) using the tag name and value copied at the previous step as filter parameters and custom query filters to describe the ID of each app-tier Amazon EBS volume provisioned in the selected AWS cloud region:

aws ec2 describe-volumes
  --region us-east-1
  --filters Name=tag:<app_tier_tag>,Values=<app_tier_tag_value>
  --query 'Volumes[*].VolumeId'

03 The command output should return the requested volume ID(s). If the describe-volumes command output returns an empty array (i.e. []), there are no app-tier EBS volumes available in the current AWS region and the Audit process ends here. If one or more volume IDs are returned, as shown in the example below, continue the Audit process with the next step:

[
    "vol-0abcd1234abcd1234",
    "vol-01234abcd1234abcd"
]

04 Run describe-volumes command (OSX/Linux/UNIX) using the ID of the app-tier EBS volume that you want to examine as the identifier parameter and custom query filters to determine whether the selected volume is encrypted or not:

aws ec2 describe-volumes
  --region us-east-1
  --volume-ids vol-0abcd1234abcd1234
  --query 'Volumes[*].Encrypted'

05 The command output should return the requested encryption status (true for encrypted, false for unencrypted):

[
    false
]

If the describe-volumes command output returns false, as shown in the example above, the selected app-tier EBS volume is not encrypted at rest.

06 Repeat steps no. 4 and 5 for each app-tier EBS volume available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable encryption at rest for your app-tier Amazon EBS volumes, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): CloudFormation template (JSON). Replace <app_tier_tag> and <app_tier_tag_value> tag placeholders with your own tag set created for the app tier:

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description" : "Create and Attach Encrypted EBS Volume",
   "Resources":{
      "EncryptedAppVolume" : {
         "Type" : "AWS::EC2::Volume",
         "Properties" : {
            "SnapshotId" : "snap-01234abcd1234abcd",
            "VolumeType" : "gp2",
            "Encrypted" : "true",
            "AvailabilityZone" : "us-east-1c",
            "Tags" : [ {
               "Key" : "<app_tier_tag>",
               "Value" : "<app_tier_tag_value>"
            } ]
         }
      },
      "MountPoint" : {
         "Type" : "AWS::EC2::VolumeAttachment",
         "Properties" : {
            "InstanceId" : "i-0abcd1234abcd1234",
            "VolumeId"  : { "Ref" : "EncryptedAppVolume" },
            "Device" : "/dev/sdf"
         }
      }
   }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Create and Attach Encrypted EBS Volume
Resources:
  EncryptedAppVolume:
    Type: AWS::EC2::Volume
    Properties:
      SnapshotId: snap-01234abcd1234abcd
      VolumeType: gp2
      Encrypted: 'true'
      AvailabilityZone: us-east-1c
      Tags:
      - Key: "<app_tier_tag>"
        Value: "<app_tier_tag_value>"
  MountPoint:
    Type: AWS::EC2::VolumeAttachment
    Properties:
      InstanceId: i-0abcd1234abcd1234
      VolumeId:
        Ref: EncryptedAppVolume
      Device: "/dev/sdf"

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf). Replace <app_tier_tag> and <app_tier_tag_value> tag placeholders with your own tag set created for the app tier:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_ebs_snapshot" "ebs-snapshot" {
  volume_id = "vol-01234abcd1234abcd"
}

resource "aws_ebs_volume" "encrypted-ebs-volume" {
  snapshot_id = aws_ebs_snapshot.ebs-snapshot.id
  type = "gp2"
  encrypted = true
  availability_zone = "us-east-1c"

  tags = {
    Name = "<app_tier_tag>"
    Value = "<app_tier_tag_value>"
  }

}

resource "aws_volume_attachment" "encrypted-volume-attachment" {
  device_name = "/dev/sdf"
  volume_id   = aws_ebs_volume.encrypted-ebs-volume.id
  instance_id = "i-0abcd1234abcd1234"
}

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Enable Encryption for App-Tier Volumes conformity rule settings, and copy the tag set defined for the AWS cloud resources provisioned within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under Elastic Block Store, choose Volumes.

05 Select the app-tier EBS volume that you want to encrypt.

06 Choose the Actions dropdown button from the console top menu and select Create Snapshot.

07 On the Create Snapshot setup page, provide a short description in the Description box, then choose Create Snapshot. Choose Close to return to the Amazon EC2 console.

08 In the navigation panel, under Elastic Block Store, choose Snapshots.

09 Select the newly created app-tier volume snapshot, choose Actions, and select Copy.

10 In the Copy Snapshot configuration box, select Encrypt this snapshot checkbox, choose (default) aws/ebs to use the default master key provided by AWS or select your own Customer Master Key (CMK) from the Master key dropdown list, and choose Copy. Click Close to return to the Snapshots page.

11 Select the new (copied) EBS volume snapshot, choose Actions, and select Create Volume.

12 On the Create Volume setup page, make sure that the appropriate master key is selected from the Master Key dropdown list, choose Add Tag and apply the tag set copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), review the volume configuration details, then choose Create Volume to provision your new app-tier EBS volume. Click Close to return to the Amazon EC2 console.

13 (Optional) To replace the unencrypted app-tier EBS volume with the one encrypted at the previous steps within your EC2 instance configuration, perform the following actions:

  1. In the navigation panel, under Elastic Block Store, choose Volumes.
  2. Select the unencrypted app-tier EBS volume that you want to replace.
  3. Choose the Actions dropdown button from the console top menu and select Detach Volume.
  4. Inside the Detach Volume dialog box, choose Yes, Detach.
  5. Select the newly created app-tier Amazon EBS volume.
  6. Choose the Actions button from the console top menu and select Attach Volume.
  7. In the Attach Volume configuration box, select the ID of the EC2 instance detached at step c. from the Instance box, provide the device name required for attachment in the Device box, then choose Attach to attach the new app-tier EBS volume.

14 Repeat steps no. 5 – 13 to encrypt each app-tier EBS volume provisioned within the current AWS region.

15 Change the AWS cloud region from the navigation bar and perform the Remediation process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Enable Encryption for App-Tier Volumes conformity rule settings, and copy the tag set defined for the AWS cloud resources provisioned within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 To encrypt existing app-tier EBS volumes, you must re-create the volumes that you want to encrypt. Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from the specified, unencrypted EBS volume:

aws ec2 create-snapshot
  --region us-east-1
  --volume-id vol-0abcd1234abcd1234

03 The output should return the create-snapshot command request metadata:

{
  "Description": "",
  "Tags": [],
  "Encrypted": true,
  "VolumeId": "vol-0abcd1234abcd1234",
  "State": "pending",
  "VolumeSize": 150,
  "StartTime": "2021-06-20T11:37:31.000Z",
  "Progress": "",
  "OwnerId": "123456789012",
  "SnapshotId": "snap-0abcd1234abcd1234"
}

04 Run copy-snapshot command (OSX/Linux/UNIX) to copy the EBS volume snapshot created at the previous steps. Use the --encrypted command parameter to encrypt the snapshot copy using the default master key (i.e. aws/ebs). (Optional) Include the --kms-key-id command parameter to encrypt the snapshot with a customer-managed Customer Master Key (CMK):

aws ec2 copy-snapshot
  --region us-east-1
  --source-region us-east-1
  --source-snapshot-id snap-0abcd1234abcd1234
  --encrypted

05 The command output should return the ID of the new EBS volume snapshot:

{
  "SnapshotId": " snap-01234abcd1234abcd"
}

06 Run create-volume command (OSX/Linux/UNIX) to create a new app-tier EBS volume from the encrypted snapshot (copy) created at the previous steps. (Optional) To encrypt the new EBS volume with your own Customer Master Key (CMK), include the --kms-key-id parameter in the create-volume command request:

aws ec2 create-volume
  --region us-east-1
  --volume-type gp2
  --size 150
  --availability-zone us-east-1a
  --snapshot-id snap-01234abcd1234abcd
  --encrypted

07 The command output should return the metadata available for the new, encrypted Amazon EBS volume:

{
  "AvailabilityZone": "us-east-1a",
  "MultiAttachEnabled": false,
  "Tags": [],
  "Encrypted": true,
  "VolumeType": "gp2",
  "VolumeId": "vol-0abcdabcdabcdabcd",
  "State": "creating",
  "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "SnapshotId": "snap-01234abcd1234abcd",
  "Iops": 450,
  "CreateTime": "2021-06-28T11:00:00.000Z",
  "Size": 150
}

08 Run create-tags command (OSX/Linux/UNIX) to apply the tag set copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>) to the newly created Amazon EBS volume (the command request should not produce an output):

aws ec2 create-tags
  --region us-east-1
  --resources vol-0abcdabcdabcdabcd
  --tags Key=<app_tier_tag>,Value=<app_tier_tag_value>

09 (Optional) To replace the unencrypted app-tier EBS volume with the one encrypted at the previous steps within your Amazon EC2 instance configuration, perform the following actions:

  1. Run detach-volume command (OSX/Linux/UNIX) to detach the unencrypted app-tier EBS volume from the specified EC2 instance:
    aws ec2 detach-volume
      --region us-east-1
      --volume-id vol-0abcd1234abcd1234
    
  2. The output should return the detach-volume command request metadata:
    {
      "AttachTime": "2021-06-28T12:00:19.000Z",
      "InstanceId": "i-01234123412341234",
      "VolumeId": "vol-0abcd1234abcd1234",
      "State": "detaching",
      "Device": "/dev/sdf"
    }
    
  3. To attach the new, encrypted app-tier EBS volume to the selected EC2 instance, run attach-volume command (OSX/Linux/UNIX):
    aws ec2 attach-volume
      --volume-id vol-0abcdabcdabcdabcd
      --instance-id i-01234123412341234
      --device /dev/sdf
    
  4. The output should return the attach-volume command request metadata:
    {
      "AttachTime": "2021-06-28T13:00:19.000Z",
      "InstanceId": "i-01234567890123456",
      "VolumeId": "vol-0abcdabcdabcdabcd",
      "State": "attaching",
      "Device": "/dev/sdf"
    }
    

10 Repeat steps no. 1 – 9 to encrypt each app-tier EBS volume available in the selected AWS region.

11 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 5, 2016