Ensure that your new Amazon EBS volumes (and copies of their snapshots) are always encrypted with customer-managed Customer Master Keys (CMKs) in order to have complete control over data encryption/decryption process and meet security and compliance requirements. A Customer Master Key (CMK) is managed by Amazon Key Management Service (KMS) and represents a logical representation of a symmetric master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The Customer Master Key also contains the key material used to encrypt and decrypt data.
When Encryption by Default feature is enabled, all new Amazon EBS volumes and copies of snapshots created in the specified region(s), are encrypted by default using an AWS-managed key (default master key that protects EBS data when no other key is defined). This meets general security requirements as it protects your data at rest. However, if you have strict compliance requirements for data encryption or your applications store and process sensitive or confidential data, you may need to create your own master key. With Amazon KMS, you can choose to create and use your own Customer Master Key in order to encrypt your data at rest. This gives you the ability to support PCI-DSS compliance requirements for separate authentication of the storage and cryptography, KMS-based control of your key material, and allows you to audit the encryption and decryption process of your Amazon EBS volume data.
Note: This conformity rule assumes that Encryption by Default is already enabled within your AWS account attributes settings.
Audit
To determine the type of the default encryption key configured for your new Amazon EBS volumes, perform the following actions:
Remediation / Resolution
To enable encryption by default for your new Amazon EBS volumes using customer-managed Customer Master Keys (CMKs), perform the following actions:
References
- AWS Documentation
- Amazon Elastic Block Store (Amazon EBS)
- Amazon EBS encryption
- AWS Key Management Service
- AWS KMS concepts
- AWS Command Line Interface (CLI) Documentation
- ec2
- get-ebs-default-kms-key-id
- modify-ebs-default-kms-key-id
- kms
- describe-key
- create-key
- create-alias