Enable EBS Default Encryption Rule
Ensure compliance by enabling default encryption for Amazon EBS volumes.
| Rule | EBS default encryption should be enabled |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Medium |
Rule/Policy: EBS Default Encryption for GxP 21 CFR Part 11 Description: This rule states that the default encryption setting for Amazon Elastic Block Store (EBS) volumes should be enabled for systems and applications that handle data governed by GxP (Good Practice) regulations, specifically 21 CFR Part 11. This policy ensures that sensitive and regulated data stored on EBS volumes is protected and compliant with GxP requirements.
Troubleshooting Steps (if applicable):
- 1.Check if EBS default encryption is enabled: Verify the current encryption status of EBS volumes associated with the GxP systems or applications.
- 2.Check encryption settings: Review the existing encryption configurations to ensure they comply with GxP 21 CFR Part 11 requirements.
- 3.Determine data sensitivity: Assess the types of data stored on the EBS volumes and classify them based on their level of sensitivity and regulatory requirements.
- 4.Identify any non-compliant volumes: Identify any EBS volumes that do not have default encryption enabled or are not using encryption mechanisms that meet GxP 21 CFR Part 11 standards.
- 5.Review applicable EBS policies: Conduct a review of encryption policies and guidelines that govern the EBS volumes to verify compliance with GxP requirements.
Necessary Codes (if applicable): No specific codes are required for this rule. However, the implementation of the following code snippet can be used to programmatically enable default encryption for EBS volumes:
aws ec2 modify-default-option-group --region <region> --option-group-name default:encryption-by-default
Step-by-step Guide for Remediation:
- 1.Identify the affected EBS volumes: Determine the specific EBS volumes used by the GxP systems or applications that need encryption enabled.
- 2.Enable encryption by default for new EBS volumes: Set the
option to ensure all new EBS volumes created within the scope of GxP systems or applications are encrypted by default.encryption-by-default- Open the AWS Management Console and navigate to the EC2 service.
- Click on "Services" in the top navigation bar and select "EC2" from the dropdown menu.
- In the left sidebar, click on "Encryption by Default" under the "Elastic Block Store" section.
- Select the appropriate region if not already selected.
- Check the box next to "Enable encryption by default" and click "Save".
- 3.Enable encryption for existing EBS volumes: Enable encryption for any existing EBS volumes that are not currently encrypted.
- Identify the non-compliant EBS volumes from the troubleshooting steps.
- For each non-compliant volume, right-click on the volume ID and select "Modify Volume" from the dropdown menu.
- In the "Modify Volume" dialog, select the desired encryption option (e.g., "Encrypt this volume" or "Copy the data to a new encrypted volume").
- Follow the prompts to apply the encryption settings.
- 4.Verify encryption status: Validate that all EBS volumes associated with the GxP systems or applications now have encryption enabled.
- Navigate to the EC2 service in the AWS Management Console.
- Click on "Services" and select "EC2" from the dropdown menu.
- In the left sidebar, click on "Volumes" under the "Elastic Block Store" section.
- Locate the EBS volumes associated with the GxP systems or applications and verify that they are encrypted.
Remember to consult your organization's security and compliance team for any specific requirements or considerations related to GxP 21 CFR Part 11 regulations.