Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EBS Encrypted

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EBS-001

Ensure that all your Amazon Elastic Block Store (EBS) volumes are encrypted in order to meet security and compliance requirements. With encryption enabled, your EBS volumes can hold sensitive, confidential, and critical data. The data encryption and decryption process is handled transparently and does not require any additional action from you, your server instance, or your application.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When working with production data that is crucial to your business, it is highly recommended to implement encryption in order to protect your data from attackers or unauthorized personnel. With encryption at rest enabled, the data stored on your Amazon EBS volumes, disk I/O, and the snapshots created from your volumes, is all encrypted. The keys used for encryption are using the AES-256 algorithm and are entirely managed and protected by the key management infrastructure through the Amazon Key Management Service (KMS).


Audit

To determine if your Amazon EBS volumes are encrypted at rest, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/

03 In the navigation panel, under Elastic Block Store, choose Volumes.

04 Select the Amazon EBS volume that you want to examine.

05 Choose the Description tab from the console bottom panel and check the Encryptionattribute value. If the Encryption attribute value is set to Not Encrypted, the selected Amazon EBS volume is not encrypted at rest.

06 Repeat steps no. 4 and 5 for each Amazon EBS volume created within the current AWS region.

07 Change the AWS cloud region from the navigation bar and perform the Audit process for other regions.

Using AWS CLI

01 Run describe-volumescommand (OSX/Linux/UNIX) with custom query filters to describe the ID of each Amazon EBS volume provisioned in the selected AWS cloud region:

aws ec2 describe-volumes
  --region us-east-1
  --query 'Volumes[*].VolumeId'

02 The command output should return the requested volume ID(s):

[
    "vol-0abcd1234abcd1234",
    "vol-01234abcd1234abcd"
]

03 Run describe-volumescommand (OSX/Linux/UNIX) using the ID of the Amazon EBS volume that you want to examine as the identifier parameter and custom query filters to determine whether the selected EBS volume is encrypted or not:

aws ec2 describe-volumes
  --region us-east-1
  --volume-ids vol-0abcd1234abcd1234
  --query 'Volumes[*].Encrypted'

04 The command output should return the requested encryption status (true for encrypted, false for unencrypted):

[
  false
]

If the describe-volumescommand output returns false, as shown in the example above, the selected Amazon EBS volume is not encrypted at rest.

05 Repeat steps no. 3 and 4 for each Amazon EBS volume available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable encryption at rest for your Amazon EBS volumes, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description":"Create and Attach Encrypted EBS Volume",
   "Resources":{
      "EncryptedEBSVolume" : {
         "Type" : "AWS::EC2::Volume",
         "Properties" : {
            "SnapshotId" : "snap-01234abcd1234abcd",
            "VolumeType" : "gp2",
            "Encrypted" : "true",
            "AvailabilityZone" : "us-east-1c"
         }
      },
      "MountPoint" : {
         "Type" : "AWS::EC2::VolumeAttachment",
         "Properties" : {
            "InstanceId" : "i-0abcd1234abcd1234",
            "VolumeId"  : { "Ref" : "EncryptedEBSVolume" },
            "Device" : "/dev/sdf"
         }
      }
   }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Create and Attach Encrypted EBS Volume
Resources:
  EncryptedEBSVolume:
    Type: AWS::EC2::Volume
    Properties:
      SnapshotId: snap-01234abcd1234abcd
      VolumeType: gp2
      Encrypted: 'true'
      AvailabilityZone: us-east-1c
  MountPoint:
    Type: AWS::EC2::VolumeAttachment
    Properties:
      InstanceId: i-0abcd1234abcd1234
      VolumeId:
        Ref: EncryptedEBSVolume
      Device: "/dev/sdf"

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_ebs_snapshot" "ebs-snapshot" {
  volume_id = "vol-01234abcd1234abcd"
}

resource "aws_ebs_volume" "encrypted-ebs-volume" {
  snapshot_id = aws_ebs_snapshot.ebs-snapshot.id
  type = "gp2"
  encrypted = true
  availability_zone = "us-east-1c"

}

resource "aws_volume_attachment" "encrypted-volume-attachment" {
  device_name = "/dev/sdf"
  volume_id   = aws_ebs_volume.encrypted-ebs-volume.id
  instance_id = "i-0abcd1234abcd1234"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, choose Volumes.

04 Select the Amazon EBS volume that you want to encrypt.

05 Choose the Actions dropdown button from the console top menu and select Create Snapshot.

06 On the Create Snapshot setup page, provide a short description in the Description box, then choose Create Snapshot. Choose Close to return to the Amazon EC2 console.

07 In the navigation panel, under Elastic Block Store, choose Snapshots.

08 Select the newly created EBS volume snapshot, choose Actions, and select Copy.

09 In the Copy Snapshot configuration box, select Encrypt this snapshot checkbox, choose (default) aws/ebs to use the default master key provided by AWS or select your own Customer Master Key (CMK) from the Master key dropdown list, and choose Copy. Click Close to return to the Snapshots page.

10 Select the new (copied) EBS volume snapshot, choose Actions, and select Create Volume.

11 On the Create Volume setup page, make sure that the appropriate master key (AWS-managed or customer-managed) is selected from the Master Key dropdown list, review the volume configuration details, then choose Create Volume to provision your new Amazon EBS volume. Click Close to return to the Amazon EC2 console.

12 (Optional) To replace the unencrypted EBS volume with the one encrypted at the previous steps within the Amazon EC2 instance configuration, perform the following actions:

  1. In the navigation panel, under Elastic Block Store, choose Volumes.
  2. Select the unencrypted Amazon EBS volume that you want to replace.
  3. Choose the Actions dropdown button from the console top menu and select Detach Volume.
  4. Inside the Detach Volume dialog box, choose Yes, Detach.
  5. Select the newly created and encrypted Amazon EBS volume.
  6. Choose the Actions button from the console top menu and select Attach Volume.
  7. In the Attach Volume configuration box, select the ID of the EC2 instance detached at step c. from the Instance box, provide the device name required for attachment in the Device box, then choose Attach to attach the new, encrypted EBS volume.

13 Repeat steps no. 4 – 12 to encrypt each Amazon EBS volume provisioned within the current AWS region.

14 Change the AWS cloud region from the navigation bar and perform the Remediation process for other regions.

Using AWS CLI

01 To encrypt existing Amazon EBS volumes, you must re-create the volumes that you want to encrypt. Run create-snapshotcommand (OSX/Linux/UNIX) to create a new snapshot from the specified, unencrypted EBS volume:

aws ec2 create-snapshot
  --region us-east-1
  --volume-id vol-0abcd1234abcd1234

02 The output should return the create-snapshot command request metadata:

{
    "Description": "",
    "Tags": [],
    "Encrypted": true,
    "VolumeId": "vol-0abcd1234abcd1234",
    "State": "pending",
    "VolumeSize": 150,
    "StartTime": "2021-06-20T11:37:31.000Z",
    "Progress": "",
    "OwnerId": "123456789012",
    "SnapshotId": "snap-0abcd1234abcd1234"
}

03 Run copy-snapshot command (OSX/Linux/UNIX) to copy the EBS volume snapshot created at the previous steps. Use the --encrypted command parameter to encrypt the snapshot copy using the default master key (i.e. aws/ebs). (Optional) Include the --kms-key-id command parameter to encrypt the snapshot with a customer-managed Customer Master Key (CMK):

aws ec2 copy-snapshot
  --region us-east-1
  --source-region us-east-1
  --source-snapshot-id snap-0abcd1234abcd1234
  --encrypted

04 The command output should return the ID of the new EBS volume snapshot:

{
    "SnapshotId": " snap-01234abcd1234abcd"
}

05 Run create-volumecommand (OSX/Linux/UNIX) to create a new Amazon EBS volume from the encrypted snapshot (copy) created at the previous steps. (Optional) To encrypt the new EBS volume with your own Customer Master Key (CMK), include the --kms-key-id parameter in the create-volumecommand request:

aws ec2 create-volume
  --region us-east-1
  --volume-type gp2
  --size 150
  --availability-zone us-east-1a
  --snapshot-id snap-01234abcd1234abcd
  --encrypted

06 The command output should return the metadata available for the new, encrypted Amazon EBS volume:

{
    "AvailabilityZone": "us-east-1a",
    "MultiAttachEnabled": false,
    "Tags": [],
    "Encrypted": true,
    "VolumeType": "gp2",
    "VolumeId": "vol-0abcdabcdabcdabcd",
    "State": "creating",
    "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcdabcdabcd",
    "SnapshotId": "snap-01234abcd1234abcd",
    "Iops": 450,
    "CreateTime": "2021-06-28T11:00:00.000Z",
    "Size": 150
}

07 (Optional) To replace the unencrypted EBS volume with the one encrypted at the previous steps within the Amazon EC2 instance configuration, perform the following actions:

  1. Run detach-volumecommand (OSX/Linux/UNIX) to detach the unencrypted Amazon EBS volume from the specified EC2 instance:
    aws ec2 detach-volume
      --region us-east-1
      --volume-id vol-0abcd1234abcd1234
    
  2. The output should return the detach-volume command request metadata:
    {
        "AttachTime": "2021-06-28T12:00:19.000Z",
        "InstanceId": "i-01234123412341234",
        "VolumeId": "vol-0abcd1234abcd1234",
        "State": "detaching",
        "Device": "/dev/sdf"
    }
    
  3. To attach the new, encrypted Amazon EBS volume to the selected EC2 instance, run attach-volumecommand (OSX/Linux/UNIX):
    aws ec2 attach-volume
      --volume-id vol-0abcdabcdabcdabcd
      --instance-id i-01234123412341234
      --device /dev/sdf
    
  4. The output should return the attach-volume command request metadata:
    {
        "AttachTime": "2021-06-28T13:00:19.000Z",
        "InstanceId": "i-01234567890123456",
        "VolumeId": "vol-0abcdabcdabcdabcd",
        "State": "attaching",
        "Device": "/dev/sdf"
    }
    

08 Repeat steps no. 1 – 7 to encrypt each Amazon EBS volume available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 5, 2016