Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EBS Snapshot Encrypted

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EBS-011

Ensure that the AWS EBS volume snapshots that hold sensitive and critical data are encrypted to fulfill compliance requirements for data-at-rest encryption. The EBS snapshot data encryption and decryption is handled transparently and does not require any additional actions from your application.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When dealing with production data that is crucial to your business, it is highly recommended to implement data encryption in order to protect it from attackers or unauthorized personnel. The EBS volume snapshot encryption keys are using AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through Amazon Key Management Service (KMS).


Audit

To identify any unencrypted EBS volume snapshots available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.

04 Select the volume snapshot that you want to examine.

05 Select Description tab from the dashboard bottom panel and check the Encrypted attribute value to determine whether the selected snapshot is encrypted or not. If the Encrypted attribute value is set to Not Encrypted, the selected AWS EBS volume snapshot is not encrypted, therefore your EBS snapshot data is not protected from unauthorized access.

06 Repeat steps no. 4 and 5 to identify any other unencrypted snapshots available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-snapshots command (OSX/Linux/UNIX) using custom filtering to list the IDs of all EBS volume snapshots owned by the AWS account identified by the ID 123456789012, available in the selected region (replace the highlighted number, i.e. AWS account ID, with your own ID number):

aws ec2 describe-snapshots
  --region us-east-1
  --owner-ids 123456789012
  --filters Name=status,Values=completed
  --output table
  --query 'Snapshots[*].SnapshotId'

02 The command output should return the EBS volume snapshot IDs requested:

----------------------------
|     DescribeSnapshots    |
+--------------------------+
|  snap-0b82cb946915a7e4f  |
|  snap-0ee33391e721cfe2f  |
|  snap-0a19e59873298d777  |
+--------------------------+

03 Execute again describe-snapshots command (OSX/Linux/UNIX) using the ID of the EBS snapshot returned at the previous step as identifier and query filters to check whether the selected snapshot is encrypted or not:

aws ec2 describe-snapshots
  --region us-east-1
  --snapshot-id snap-0b82cb946915a7e4f
  --query 'Snapshots[*].Encrypted'

04 The command output should return the EBS snapshot encryption status (**true** for encrypted and **false** for unencrypted):

[
	false
]

If the returned value is false (as shown in the output example above), the selected AWS EBS volume snapshot is not currently encrypted.

05 Repeat steps no. 3 and 4 to identify any other unencrypted snapshots created in the current region.

06 Repeat steps no. 1 – 5 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To encrypt existing EBS volume snapshots available within your AWS account, perform the following:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"EBSVolumeSnapshot": {
			"Type": "AWS::EC2::Snapshot",
			"Properties": {
				"VolumeId": "vol-01234abcd1234abcd"
			}
		},
		"EBSVolumeSnapshotCopy": {
			"Type": "AWS::EC2::Snapshot",
			"Properties": {
				"SnapshotId": {
					"Ref": "EBSVolumeSnapshot"
				},
				"Encrypted": true
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	EBSVolumeSnapshot:
		Type: AWS::EC2::Snapshot
		Properties:
		VolumeId: vol-01234abcd1234abcd
	EBSVolumeSnapshotCopy:
		Type: AWS::EC2::Snapshot
		Properties:
		SnapshotId: !Ref 'EBSVolumeSnapshot'
		Encrypted: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_ebs_snapshot" "ebs-volume-snapshot" {
	volume_id = "vol-01234abcd1234abcd"
}

resource "aws_ebs_snapshot_copy" "ebs-volume-snapshot-copy" {
	source_snapshot_id = aws_ebs_snapshot.ebs-volume-snapshot.id
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under ELASTIC BLOCK STOREsection, choose Snapshots.

04 Select the unencrypted EBS snapshot that you want to encrypt (see Audit section part I to identify the right resource).

05 Click the Actions dropdown button from the dashboard top menu and select Copy.

06 Inside Copy Snapshot dialog box, perform the following actions:

  1. From Destination region dropdown list, select the region where you want to write the copy of the snapshot.
  2. (Optional) Edit the snapshot copy description available within Description box.
  3. Check Encrypt this snapshot checkbox available next to Encryption. Select the Customer Master Key (CMK) that to be used to encrypt the selected EBS snapshot from the Master Key dropdown list. If there are no custom KMS CMKs created within your account, you can use the default master key (i.e. (default) aws/ebs), a predefined key that protects your EBS snapshots when no other key is defined.
  4. Click Copy to confirm the action.

07 In the Copy Snapshot confirmation dialog box, click Snapshots (link) to go to the Snapshots page in the specified AWS region or choose Close to return to EC2 dashboard. The process will take a couple of minutes to complete, you should see the encrypted copy being created on the Snapshots page.

08 Now that your EBS volume snapshot is encrypted, you can safely delete the original (unencrypted) snapshot. To remove the required EBS snapshot from your AWS account, perform the following:

  1. Select the EBS snapshot that you want to delete.
  2. Click the Actions dropdown button from the dashboard top menu and choose Delete.
  3. Inside Delete Snapshot dialog box, click Yes, Delete to confirm your action.

09 Repeat steps no. 4 – 8 to encrypt other unencrypted EBS snapshots available in the current region.

10 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run copy-snapshot command (OSX/Linux/UNIX) using the ID of the unencrypted snapshot as identifier (see Audit section part II to identify the right resource) to copy and encrypt the selected point-in-time snapshot to the specified destination:

aws ec2 copy-snapshot
  --region us-east-1
  --source-region us-east-1
  --destination-region us-east-1
  --source-snapshot-id snap-0b82cb946915a7e4f
  --description "This is my encrypted AWS EBS snapshot."
  --encrypted

02 The command output should return the ID of the new EBS (encrypted) snapshot:

{
	"SnapshotId": "snap-0da5af3166d74399f"
}

03 Now that your EBS volume snapshot is encrypted, it is safe to delete the original snapshot. Run delete-snapshot command (OSX/Linux/UNIX) using the ID of the unencrypted snapshot as identifier, to remove the snapshot from your AWS account (the command does not return an output):

aws ec2 delete-snapshot
  --region us-east-1
  --snapshot-id snap-0b82cb946915a7e4f

04 Repeat steps no. 1 – 3 to encrypt other AWS EBS snapshots available in the current region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.

References

Publication date Oct 15, 2017