Ensure that all your new Amazon EBS volumes are encrypted by default within the specified AWS cloud region in order to reach your data protection and compliance goals.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When working with EBS data that is crucial to your business, it is strongly recommended to implement encryption at rest in order to protect your data from attackers or unauthorized personnel. When Encryption by Default feature is enabled, all new Amazon EBS volumes and copies of snapshots created in the specified region(s), are encrypted by default. If you implement Amazon IAM policies that require the use of encrypted EBS volumes, you can use this feature to avoid launch failures that would occur if unencrypted volumes were inadvertently referenced when an instance is launched. In this case, your SecOps team can enable encryption by default without having to coordinate with your development team and without performing additional operational changes. Your new EBS volumes can be encrypted with the AWS-managed master key, unless you specify a different key at launch time.
Note: Enabling this feature does not affect existing unencrypted Amazon EBS volumes.
Audit
To determine the Encryption by Default feature status for your Amazon EBS volumes in the specified AWS region, perform the following operations:
Remediation / Resolution
To enable encryption by default for your new Amazon EBS volumes, perform the following operations:
References
- AWS Documentation
- Amazon Elastic Block Store (Amazon EBS)
- Amazon EBS encryption
- AWS Command Line Interface (CLI) Documentation
- ec2
- get-ebs-encryption-by-default
- enable-ebs-encryption-by-default