Ensure that all your Amazon Elastic Block Store (EBS) volumes are encrypted in order to meet security and compliance requirements. With encryption enabled, your EBS volumes can hold sensitive, confidential, and critical data. The data encryption and decryption process is handled transparently and does not require any additional action from you, your server instance, or your application.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When working with production data that is crucial to your business, it is highly recommended to implement encryption in order to protect your data from attackers or unauthorized personnel. With encryption at rest enabled, the data stored on your Amazon EBS volumes, disk I/O, and the snapshots created from your volumes, is all encrypted. The keys used for encryption are using the AES-256 algorithm and are entirely managed and protected by the key management infrastructure through the Amazon Key Management Service (KMS).
Audit
To determine if your Amazon EBS volumes are encrypted at rest, perform the following operations:
Remediation / Resolution
To enable encryption at rest for your Amazon EBS volumes, perform the following operations:
References
- AWS Documentation
- Amazon Elastic Block Store (Amazon EBS)
- Amazon EBS Encryption
- Copy an Amazon EBS snapshot
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-volumes
- create-snapshot
- copy-snapshot
- create-volume
- detach-volume
- attach-volume
- CloudFormation Documentation
- Amazon Elastic Compute Cloud resource type reference
- Terraform Documentation
- AWS Provider