Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Encryption by Default for EBS Volumes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EBS-014

Ensure that all your new Amazon EBS volumes are encrypted by default within the specified AWS cloud region in order to reach your data protection and compliance goals.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When working with EBS data that is crucial to your business, it is strongly recommended to implement encryption at rest in order to protect your data from attackers or unauthorized personnel. When Encryption by Default feature is enabled, all new Amazon EBS volumes and copies of snapshots created in the specified region(s), are encrypted by default. If you implement Amazon IAM policies that require the use of encrypted EBS volumes, you can use this feature to avoid launch failures that would occur if unencrypted volumes were inadvertently referenced when an instance is launched. In this case, your SecOps team can enable encryption by default without having to coordinate with your development team and without performing additional operational changes. Your new EBS volumes can be encrypted with the AWS-managed master key, unless you specify a different key at launch time.

Note: Enabling this feature does not affect existing unencrypted Amazon EBS volumes.


Audit

To determine the Encryption by Default feature status for your Amazon EBS volumes in the specified AWS region, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 Select the AWS cloud region that you want to access from the console navigation bar.

04 In the Account attributes section, under Settings, choose EBS encryption to access the EBS configuration settings available for the EBS volumes within the selected AWS region.

05 On the Settings page, select the EBS encryption tab, and check the Always encrypt new EBS volumes configuration attribute status. If the attribute status is set to Disabled, the encryption of data at rest by default for new EBS volumes is not enabled in the selected AWS region.

06 Change the AWS region from the console navigation bar and repeat step no. 5 to verify the configuration status of the EBS encryption by default for other AWS cloud regions.

Using AWS CLI

01 Run get-ebs-encryption-by-default command (OSX/Linux/UNIX) using custom query filters to describe whether EBS encryption by default is enabled for your AWS cloud account in the selected region:

aws ec2 get-ebs-encryption-by-default
  --region us-east-1
  --query 'EbsEncryptionByDefault'

02 The command output should the requested feature configuration status (true for enabled, false for disabled):

false

If get-ebs-encryption-by-default command output returns false, as shown in the example above, the encryption of data at rest by default for new EBS volumes is not enabled in the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to verify the configuration status of the EBS encryption by default for other AWS regions.

Remediation / Resolution

To enable encryption by default for your new Amazon EBS volumes, perform the following operations:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0" 
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_ebs_encryption_by_default" "default-ebs-volume-encryption" {
	enabled = true
}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 Select the AWS cloud region that you want to access from the console navigation bar.

04 In the Account attributes section, under Settings, choose EBS encryption to access the EBS configuration settings available for the EBS volumes within the selected AWS region.

05 On the Settings page, select the EBS encryptiontab, and click on the Manage button to modify the EBS feature settings.

06 On the Modify EBS encryption page, select Enable under Always encrypt new EBS volumes and click inside the Default encryption key configuration box to choose the master key to encrypt your EBS volumes. Choose Update EBS encryption to save the configuration changes. After you enable EBS encryption by default, the Amazon EBS volumes that you create are always encrypted, either using the default master key or the Customer Master Key (CMK) that you specified when you created each volume.

07 Change the AWS region from the console navigation bar and repeat step no. 5 and 6 to enable encryption by default for the Amazon EBS volumes in other AWS cloud regions.

Using AWS CLI

01 Run enable-ebs-encryption-by-default command (OSX/Linux/UNIX) to enable encryption by default for all the Amazon EBS volumes that will be created in the selected AWS cloud region:

aws ws ec2 enable-ebs-encryption-by-default
  --region us-east-1

02 The command output should the new EBS encryption by default configuration status:

{
	"EbsEncryptionByDefault": true
}

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to enable encryption by default for Amazon EBS volumes within other AWS cloud regions.

References

Publication date Nov 25, 2020