This rule ensures that EBS default encryption is enabled for enhanced data security.
Rule | EBS default encryption should be enabled |
Framework | CISA-cyber-essentials |
Severity | ✔ Medium |
EBS Default Encryption for CISA-Cyber Essentials
Rule Description
To meet the requirements of CISA-Cyber Essentials, it is recommended to enable the default encryption for Amazon Elastic Block Store (EBS) volumes. This ensures that all newly created EBS volumes are automatically encrypted, providing an additional layer of data protection and security.
Enabling default encryption eliminates the need to specify encryption during volume creation, making it a streamlined and consistent process. It helps to prevent accidental creation of unencrypted volumes and ensures that all data stored on EBS volumes is encrypted at rest.
Troubleshooting Steps
If the default encryption is not enabled for EBS volumes, follow these troubleshooting steps:
Verify permissions: Ensure that you have the necessary permissions to enable default encryption for EBS volumes. You should have administrative access to the AWS account.
Check existing EBS volumes: Review the existing EBS volumes to determine if any are unencrypted. You can do this by checking the encryption status of each volume using the AWS Management Console, AWS CLI, or SDKs.
Confirm existing EBS encryption settings: Verify the current encryption settings for your AWS account. You can do this by checking the default encryption settings in the AWS Key Management Service (KMS) console or by using the AWS CLI command:
aws kms describe-key --key-id <key_id>
. Replace <key_id>
with the key ID associated with your account's default key.Enable default encryption: If default encryption is not already enabled, you can enable it by following the remediation steps outlined in the next section.
Remediation Steps
To enable default encryption for EBS volumes in compliance with CISA-Cyber Essentials, follow these steps:
Log in to the AWS Management Console.
Open the Amazon EC2 dashboard.
In the navigation pane, click on "Key Pairs".
In the list of key pairs, identify the default key pair associated with the AWS account. If a default key pair does not exist, create a new one.
Enable default encryption for EBS volumes using the AWS CLI command:
aws ec2 --region <region> enable-ec2-default-ebs-encryption --profile <profile_name>
Replace
<region>
with the desired AWS region and <profile_name>
with the name of your AWS CLI profile.aws ec2 --region <region> describe-instances --profile <profile_name> --query 'Reservations[].Instances[].Ena bleDefaultEbsEncryption'
Replace
<region>
with the AWS region and <profile_name>
with your AWS CLI profile name.By following these steps, you have successfully enabled default encryption for EBS volumes in compliance with CISA-Cyber Essentials requirements. Any new EBS volumes created in the AWS account will now be automatically encrypted.