Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

EBS Default Encryption Rule

This rule ensures the default encryption is enabled for Amazon EBS volumes.

RuleEBS default encryption should be enabled
FrameworkCISA-cyber-essentials
Severity
Medium

Rule Description

The rule requires enabling default encryption for Amazon Elastic Block Store (EBS) volumes within the AWS account, specifically for compliance with the CISA Cyber Essentials framework. Enabling default encryption ensures that any newly created EBS volumes are automatically encrypted using AWS Key Management Service (KMS) keys.

Troubleshooting Steps

If default encryption for EBS is not enabled, you can follow these troubleshooting steps:

  1. 1.

    Verify AWS account permissions: Ensure that the IAM user or role associated with your account has sufficient permissions to enable default encryption for EBS volumes. You should have the necessary IAM permissions to modify the default encryption setting.

  2. 2.

    Check for existing KMS key: Validate that a KMS key exists in the account which can be used for encrypting EBS volumes. If no key exists, create a KMS key in the desired region.

  3. 3.

    Ensure supported instance types and AMIs: Confirm that the EC2 instance types and AMIs used in the AWS account are supported for EBS default encryption. Some older instance types or AMIs might not support default encryption.

  4. 4.

    Review the default encryption status: Check the current default encryption status for EBS volumes. It should be set to "enabled."

Necessary Code

There is no specific code required for this rule. However, you can use AWS Command Line Interface (CLI) commands to check and enable default encryption for EBS volumes.

Step-by-Step Guide for Remediation

To enable default encryption for EBS volumes, follow the step-by-step guide below:

  1. 1.

    Open the AWS Management Console and navigate to the AWS Management Console for Amazon EBS.

  2. 2.

    Select the region where the default encryption needs to be enabled (if applicable).

  3. 3.

    In the left navigation pane, click on "Dashboard" to view the EBS volume dashboard.

  4. 4.

    Check the "Default encryption" column to verify the current status. It should display "ENCRYPTED" if default encryption is already enabled. If not, proceed to the next step.

  5. 5.

    Open the AWS Command Line Interface (CLI) or AWS CLI on the AWS Management Console.

  6. 6.

    Run the following command to enable default encryption for EBS volumes:

    aws ec2 enable-ebs-encryption-by-default
    
  7. 7.

    Confirm the action by entering "Y" when prompted.

  8. 8.

    Wait for the command to execute successfully. This may take a few moments.

  9. 9.

    Return to the EBS volume dashboard and verify that the "Default encryption" column now displays "ENCRYPTED" for new volumes.

Note: Enabling default encryption does not encrypt existing unencrypted volumes. You need to manually encrypt those volumes.

Is your System Free of Underlying Vulnerabilities?
Find Out Now