Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EBS Default Encryption Should be Enabled

This rule ensures that EBS default encryption is enabled for enhanced data security.

RuleEBS default encryption should be enabled
FrameworkCISA-cyber-essentials
Severity
Medium

EBS Default Encryption for CISA-Cyber Essentials

Rule Description

To meet the requirements of CISA-Cyber Essentials, it is recommended to enable the default encryption for Amazon Elastic Block Store (EBS) volumes. This ensures that all newly created EBS volumes are automatically encrypted, providing an additional layer of data protection and security.

Enabling default encryption eliminates the need to specify encryption during volume creation, making it a streamlined and consistent process. It helps to prevent accidental creation of unencrypted volumes and ensures that all data stored on EBS volumes is encrypted at rest.

Troubleshooting Steps

If the default encryption is not enabled for EBS volumes, follow these troubleshooting steps:

  1. 1.

    Verify permissions: Ensure that you have the necessary permissions to enable default encryption for EBS volumes. You should have administrative access to the AWS account.

  2. 2.

    Check existing EBS volumes: Review the existing EBS volumes to determine if any are unencrypted. You can do this by checking the encryption status of each volume using the AWS Management Console, AWS CLI, or SDKs.

  3. 3.

    Confirm existing EBS encryption settings: Verify the current encryption settings for your AWS account. You can do this by checking the default encryption settings in the AWS Key Management Service (KMS) console or by using the AWS CLI command:

    aws kms describe-key --key-id <key_id>
    . Replace
    <key_id>
    with the key ID associated with your account's default key.

  4. 4.

    Enable default encryption: If default encryption is not already enabled, you can enable it by following the remediation steps outlined in the next section.

Remediation Steps

To enable default encryption for EBS volumes in compliance with CISA-Cyber Essentials, follow these steps:

  1. 1.

    Log in to the AWS Management Console.

  2. 2.

    Open the Amazon EC2 dashboard.

  3. 3.

    In the navigation pane, click on "Key Pairs".

  4. 4.

    In the list of key pairs, identify the default key pair associated with the AWS account. If a default key pair does not exist, create a new one.

  5. 5.

    Enable default encryption for EBS volumes using the AWS CLI command:

aws ec2 --region <region> enable-ec2-default-ebs-encryption --profile <profile_name>

Replace

<region>
with the desired AWS region and
<profile_name>
with the name of your AWS CLI profile.

  1. 1.
    Verify default encryption status: Check the default encryption status using the AWS CLI command:
aws ec2 --region <region> describe-instances --profile <profile_name> --query 'Reservations[].Instances[].Ena
bleDefaultEbsEncryption'

Replace

<region>
with the AWS region and
<profile_name>
with your AWS CLI profile name.

  1. 1.
    Validate default encryption: Create a new EBS volume and verify that it is encrypted by default. This can be done through the AWS Management Console or by using the AWS CLI.

By following these steps, you have successfully enabled default encryption for EBS volumes in compliance with CISA-Cyber Essentials requirements. Any new EBS volumes created in the AWS account will now be automatically encrypted.

Is your System Free of Underlying Vulnerabilities?
Find Out Now