Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Attached EBS Volumes Should Have Encryption Enabled

This rule ensures that all attached EBS volumes have encryption enabled for security.

RuleAttached EBS volumes should have encryption enabled
FrameworkGxP 21 CFR Part 11
Severity
Medium

Rule Description:

The rule requires that all attached EBS (Elastic Block Store) volumes should have encryption enabled in order to comply with the GxP (Good x Practice) regulations specified in 21 CFR (Code of Federal Regulations) Part 11. This ensures data security and integrity for sensitive information stored in AWS (Amazon Web Services) infrastructure.

Troubleshooting Steps:

  2. 1.
    Validate EBS Volume Encryption:
    • Check if the attached EBS volumes have encryption enabled.
    • Verify if encryption is using AWS Key Management Service (KMS) or AWS managed keys.

Remediation Steps:

  2. 1.

    Enable Encryption for EBS Volumes:

    • Identify the EBS volumes that are currently unencrypted.
    • Select the desired AWS KMS encryption key or choose an AWS managed key for encryption.
  4. 2.

    Migrate data from unencrypted to encrypted EBS volumes:

    • Create a snapshot of the unencrypted EBS volume.
    • Create a new encrypted EBS volume using the snapshot as the source.
    • Attach the newly created encrypted EBS volume to the instance.
    • Validate the data integrity after migration.

Command Line Interface (CLI) Commands:

  2. 1.

    Check Encryption Status for EBS Volumes:

    aws ec2 describe-volumes --query "Volumes[?Encrypted==\`false\`]"
  4. 2.

    Enable Encryption for EBS Volumes:

    aws ec2 create-encrypted-snapshot --source-volume-id <unencrypted_volume_id> --encrypted true --kms-key-id <kms_key_id>

    Note: Replace 

    <unencrypted_volume_id>
    with the ID of the unencrypted EBS volume and 
    <kms_key_id>
    with the desired AWS KMS key ID.

  6. 3.

    Create Encrypted EBS Volume from Snapshot:

    aws ec2 create-volume --snapshot-id <snapshot_id> --encrypted true --kms-key-id <kms_key_id>

    Note: Replace 

    <snapshot_id>
    with the ID of the snapshot created from the unencrypted EBS volume.

  8. 4.

    Attach Encrypted EBS Volume to an Instance:

    aws ec2 attach-volume --volume-id <encrypted_volume_id> --instance-id <instance_id> --device <device_name>

    Note: Replace 

    <encrypted_volume_id>
    with the ID of the newly created encrypted EBS volume, 
    <instance_id>
    with the ID of the instance to attach the volume, and 
    <device_name>
    with the desired device name (e.g., 
    /dev/sdf
    ).

Conclusion:

By following the above steps and using the provided CLI commands, you can ensure that all attached EBS volumes have encryption enabled to comply with the GxP 21 CFR Part 11 regulations. This enhances data security and protection within your AWS environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now