Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Attached EBS volumes should have delete on termination enabled

This rule ensures that EBS volumes are set to delete when the associated instance is terminated.

RuleAttached EBS volumes should have delete on termination enabled
FrameworkFederal Financial Institutions Examination Council (FFIEC)
Severity
Medium

Attached EBS Volumes Should Have Delete on Termination Enabled for FFIEC Compliance

The Federal Financial Institutions Examination Council (FFIEC) guidelines mandate that data storage, including Amazon Elastic Block Store (EBS) volumes, should be securely managed and disposed of when no longer needed. To align with these guidelines, it is critical to ensure that EBS volumes attached to Amazon EC2 instances have the "delete on termination" attribute enabled. This setting ensures that the EBS volume is automatically deleted when the associated instance is terminated, preventing data leakage and maintaining compliance.

Description of the Rule

Enabling the "delete on termination" attribute for EBS volumes attached to EC2 instances ensures that no sensitive data persists on storage media that are no longer in use, thereby safeguarding data and adhering to FFIEC compliance standards.

When an EC2 instance is launched, each EBS volume that is attached to the instance contains an attribute that determines whether the volume is deleted or retained when the instance is terminated. The typical default for this attribute is set to "true" for the root device volume and "false" for additional volumes. However, to meet the FFIEC compliance, it is necessary to explicitly set this attribute to "true" for all EBS volumes.

Troubleshooting Steps

If an EBS volume is not correctly configured to delete on termination, follow these steps to troubleshoot and resolve the issue.

Checking the "Delete on Termination" Attribute

  1. 1.
    Use the AWS Management Console, AWS CLI, or an SDK to describe the EC2 instance and verify the "delete on termination" flag for each EBS volume.
  2. 2.
    If the flag is not set to "true," proceed to modify the settings.

Modifying the EBS Volume Attribute

Using AWS CLI

  1. 1.
    Identify the instance ID and the block device mapping for the EBS volume that requires modification.
  2. 2.
    Use the
    modify-instance-attribute
    command to update the "delete on termination" attribute:
aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 --block-device-mappings "[{\"DeviceName\":\"/dev/sdf\",\"Ebs\":{\"DeleteOnTermination\":true}}]"

Replace

i-1234567890abcdef0
with your instance ID and
/dev/sdf
with the appropriate device name.

Remediation Step-by-Step Guide

Enabling "Delete on Termination" During Instance Launch

  1. 1.
    When launching a new EC2 instance from the AWS Management Console, expand the "Advanced Details" section in the "Configure Instance" step.
  2. 2.
    In the "Block Devices" section, edit each EBS volume and set the "Delete on Termination" flag to "true."
  3. 3.
    Launch the instance.

Using AWS CLI

To specify the "delete on termination" attribute during instance launch, include the block device mapping parameter with your

run-instances
command:

aws ec2 run-instances --image-id ami-12345678 --count 1 --instance-type t2.micro --block-device-mappings "[{\"DeviceName\":\"/dev/sdm\",\"Ebs\":{\"VolumeSize\":12,\"DeleteOnTermination\":true}}]"

Adjust the

--image-id
,
--count
,
--instance-type
, and
--block-device-mappings
as needed.

Modifying an Existing Instance

  1. 1.
    Use the AWS Management Console or AWS CLI to modify the existing EBS volumes.
  2. 2.
    For each volume, update the "Delete on Termination" attribute as demonstrated in the above AWS CLI command.
  3. 3.
    Verify the changes by describing the EC2 instance attributes and checking the block device mappings.

Code for Automated Compliance Checking

You can create an automated policy that checks and enforces the "delete on termination" flag on EBS volumes using AWS Config rules or a custom lambda function.

Example AWS Config Rule

AWS Config allows you to create a custom rule that assesses whether your EBS volumes are compliant with the "delete on termination" policy. You can use AWS Config to continuously monitor and record configuration changes to your AWS resources.

By following these remediation steps and creating automated checks, organizations can ensure compliance with data management and disposal requirements set by the FFIEC, thereby protecting sensitive financial data.

Is your System Free of Underlying Vulnerabilities?
Find Out Now