Rule: Attached EBS Volumes Should Be Encrypted at Rest
This rule ensures that all attached EBS volumes are encrypted at rest for enhanced security measures.
| Rule | Attached EBS volumes should be encrypted at rest |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
The rule, "Attached EBS volumes should be encrypted at rest," is a security best practice recommended by AWS to protect data stored on Elastic Block Store (EBS) volumes. This rule ensures that all EBS volumes attached to Amazon EC2 instances are encrypted to safeguard sensitive information from unauthorized access.
By enforcing encryption at rest for attached EBS volumes, you can enhance the security posture of your AWS infrastructure and adhere to industry compliance requirements.
Troubleshooting Steps:
If some attached EBS volumes are not encrypted, follow these troubleshooting steps to identify and resolve any potential issues:
- 1.
Verify attached EBS volumes: Use the AWS Management Console, AWS CLI, or SDKs to list all the attached volumes to your EC2 instances. Ensure that you have a complete overview of the EBS volumes in your AWS account.
CLI Command:
aws ec2 describe-volumes - 2.
Identify unencrypted volumes: Filter the list obtained in the previous step to identify any unencrypted EBS volumes.
CLI Command:
false`]"`aws ec2 describe-volumes --query "Volumes[?Encrypted==\ - 3.
Review encryption settings: Inspect the encryption settings for each unencrypted volume to ensure it meets your requirements. You can check if encryption is disabled explicitly or if the encryption key is missing or misconfigured.
CLI Command:
aws ec2 describe-volumes --volume-ids <volume-id> - 4.
Enable encryption: For each unencrypted volume, enable encryption either using AWS Key Management Service (KMS) or by creating a new encrypted copy of the volume.
CLI Command:
aws ec2 modify-volume --volume-id <volume-id> --encrypted - 5.
Validate encryption status: After enabling encryption, verify that the status of the volume reflects the change.
CLI Command:
aws ec2 describe-volumes --volume-ids <volume-id> - 6.
Update automation processes: Ensure that any automation or provisioning processes are updated to enforce volume encryption for new instances and volumes.
Code:
No specific code is required for this rule as it involves evaluation and remediation steps for existing resources. However, if you want to automate the process, you can use AWS Config Rules, AWS CloudFormation, AWS Lambda, or other infrastructure-as-code tools to enforce encryption at rest for your EBS volumes.
Remediation Steps:
Follow the below steps to remediate the rule violation and encrypt attached EBS volumes:
- 1.
Identify unencrypted EBS volumes: Use the steps mentioned earlier or the AWS Management Console to find the list of unencrypted EBS volumes attached to EC2 instances.
- 2.
Encrypt with AWS KMS: For each unencrypted volume, follow the steps below to encrypt the volume using AWS Key Management Service (KMS):
a. Create a new encrypted copy of the volume:
- Open the Amazon EC2 console. - Navigate to the "Snapshots" section, and select "Create Snapshot" for the unencrypted volume. - Select the newly created snapshot and choose "Actions" > "Create Volume." - Enable encryption and select the desired AWS KMS key for encryption. - Create the encrypted volume.b. Detach the old unencrypted volume:
- Navigate to "Volumes" in the Amazon EC2 console. - Select the unencrypted volume to be detached. - Choose "Actions" > "Detach Volume."c. Attach the new encrypted volume:
- Select the newly created encrypted volume. - Choose "Actions" > "Attach Volume." - Specify the desired EC2 instance to which the volume should be attached. - Verify that the encryption status of the updated volume is now 'encrypted.' - 3.
Validate encryption status: Verify that all EBS volumes are now encrypted at rest by listing the volumes and ensuring the "Encrypted" attribute is set to 'true.'
CLI Command:
aws ec2 describe-volumes - 4.
Update automation processes: To ensure ongoing compliance with the rule, update any automation or provisioning processes involved in launching new EC2 instances or attaching EBS volumes. Add encryption configurations to these processes to enforce encryption at rest.
Note: It is important to understand the potential impact of encrypting unencrypted volumes. Back up any critical data before making any changes to ensure data integrity and availability.
Following these steps will help you remediate non-compliant attached EBS volumes and ensure that your AWS environment aligns with the AWS Foundational Security Best Practices.