Rule: EBS Default Encryption Should Be Enabled
This rule ensures that EBS default encryption is enabled to secure data in EC2 instances.
| Rule | EBS default encryption should be enabled |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Medium |
Rule Description
The rule requires enabling default encryption for Amazon Elastic Block Store (EBS) volumes in order to meet the compliance requirements of GxP (Good Practice) 21 CFR Part 11. This regulation specifies the electronic record-keeping standards for pharmaceutical, biotechnology, and other life sciences industries.
Enabling default encryption ensures that all new EBS volumes created in the AWS account are automatically encrypted, adding an additional layer of security to protect sensitive data stored on those volumes. This helps to maintain the integrity and confidentiality of electronic records in compliance with GxP 21 CFR Part 11.
Troubleshooting Steps
If default encryption for EBS volumes is not enabled or if you encounter issues related to EBS encryption, follow these troubleshooting steps:
- 1.
Check EBS encryption status: Verify if any existing volumes are not encrypted. Identify these volumes and take appropriate measures to encrypt them.
- 2.
Enabling default encryption: Ensure that the appropriate IAM user or role has the necessary permissions (e.g.,
). If not, grant the required permissions to the IAM entity.ec2:EnableEbsEncryptionByDefault - 3.
Verify encryption status for new EBS volumes: After enabling default encryption, create a new EBS volume and check if it is automatically encrypted. If it is not, double-check whether the default encryption setting was successfully enabled.
- 4.
Review AWS Key Management Service (KMS) permissions: Ensure that the IAM entities have the required permissions to access the AWS Key Management Service (KMS), which is used for EBS encryption. Grant necessary permissions if any issues are found.
- 5.
Verify key management settings: Review the KMS key management settings associated with EBS encryption. Ensure that the correct key is being used and that its policies align with compliance requirements.
- 6.
Logging and monitoring: Enable appropriate logging and monitoring mechanisms to track any issues related to EBS encryption and key management. This will help in identifying and resolving any potential problems quickly.
Configuration Steps
To enable default encryption for EBS volumes in compliance with GxP 21 CFR Part 11, follow the step-by-step guide below:
- 1.
Open the AWS Management Console and navigate to the IAM service.
- 2.
Ensure that you have sufficient permissions to modify IAM policies and roles within your AWS account.
- 3.
Identify the IAM user or role that needs to enable default encryption for EBS volumes.
- 4.
Grant the
permission to the relevant IAM user or role.ec2:EnableEbsEncryptionByDefault - 5.
Save the changes to the IAM policy and proceed to the EC2 service in the AWS Management Console.
- 6.
In the EC2 Dashboard, locate the "Elastic Block Store" section and click on "Volumes."
- 7.
Identify any existing volumes that are not encrypted and apply encryption to these volumes individually.
- 8.
Navigate to the AWS Key Management Service (KMS) in the AWS Management Console.
- 9.
Verify the IAM entities associated with EBS encryption have the required permissions to access the KMS.
- 10.
Review the KMS key management settings, ensuring the correct key is being used and that its policies align with compliance requirements.
- 11.
Enable appropriate logging and monitoring mechanisms to track EBS encryption-related issues.
By following these steps, default encryption for EBS volumes will be enabled in compliance with GxP 21 CFR Part 11.