Attached EBS Volumes Rule
This rule ensures attached EBS volumes have delete on termination enabled.
| Rule | Attached EBS volumes should have delete on termination enabled |
| Framework | AWS Audit Manager Control Tower Guardrails |
| Severity | ✔ Medium |
Attached EBS volumes should have delete on termination enabled for AWS Audit Manager Control Tower Guardrails
When managing AWS resources, it's crucial to ensure that your EBS (Elastic Block Store) volumes are configured to be deleted upon the termination of the EC2 instance to which they are attached. This is a common security practice that helps in preventing data leakage and managing costs effectively. It aligns with compliance requirements often checked by AWS Audit Manager and Control Tower Guardrails.
Understanding the Rule
This rule implies that the 'Delete on Termination' attribute must be set to true for EBS volumes when they are created or attached to EC2 instances. If an EBS volume is not marked for deletion upon termination of the instance, it will persist in AWS, potentially incurring unnecessary costs and posing a risk to data security.
Troubleshooting Steps
- Verify the 'Delete on Termination' attribute for EBS volumes.
- Check for EC2 instances with EBS volumes attached where the attribute is not set correctly.
Remediation Steps
Via AWS Management Console
- 1.Navigate to the EC2 Console.
- 2.Click on 'Instances' and select the instance in question.
- 3.In the 'Instance Settings' drop-down, select 'View/Change Block Devices'.
- 4.Look for the EBS volume and check 'Delete on Termination'. If it's not enabled, click 'Edit', make the change, and save it.
Via AWS CLI
To enable 'Delete on Termination' for an EBS volume attached to an EC2 instance using AWS CLI:
- 1.
Identify the Instance ID and Volume ID using DescribeInstances.
aws ec2 describe-instances - 2.
Modify the instance attribute to enable 'Delete on Termination'.
aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 \ --block-device-mappings "[{\"DeviceName\": \"/dev/sdf\",\"Ebs\":{\"DeleteOnTermination\":true}}]"
Replace
i-1234567890abcdef0/dev/sdfNecessary AWS IAM Permissions
Make sure you have the necessary AWS IAM (Identity and Access Management) permissions to make these changes:
ec2:DescribeInstancesec2:ModifyInstanceAttribute
These permissions are necessary for users to execute the commands described above.
Automation Via AWS Boto3 Python SDK
For automating this process with Python's Boto3, use the following code snippet:
import boto3 ec2 = boto3.resource('ec2') # For each instance, if an EBS volume is attached, enable delete on termination. for instance in ec2.instances.all(): for volume in instance.volumes.all(): for attachment in volume.attachments: if attachment['DeleteOnTermination'] == False: volume.modify_attribute(DeleteOnTermination={'Value': True})
Ensure that your AWS credentials are set up correctly and that the Boto3 library is installed.
Compliance Validation
To validate compliance, ensure that all EBS volumes across your AWS environment have 'Delete on Termination' enabled, or regularly scan and report using AWS Audit Manager. Set up automated alerts or scheduled checks to identify EBS volumes that deviate from this rule.
Conclusion
Setting EBS volumes to delete on termination is a fundamental step to maintain the hygiene and compliance of your AWS environment. Regularly auditing and correcting these settings will help you avoid unnecessary costs and reduce the risks related to data security.