Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EBS Default Encryption Should Be Enabled

This rule ensures that EBS default encryption is enabled to protect data at rest on EC2 instances.

RuleEBS default encryption should be enabled
FrameworkHIPAA
Severity
Medium

Rule Description:

The rule requires that Amazon Elastic Block Store (EBS) default encryption is enabled for workloads that need to comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is a regulatory standard that sets guidelines for protecting sensitive healthcare information.

Troubleshooting Steps:

If default encryption for EBS volumes is not enabled, the following troubleshooting steps can be performed:

  2. 1.
    Validate the encryption status of EBS volumes by checking the selected default encryption configuration.
  4. 2.
    Verify if the EBS volumes are encrypted using default encryption or with customer-managed keys.
  6. 3.
    If default encryption is not enabled, identify the root cause for non-compliance by reviewing the existing encryption settings.
  8. 4.
    Check if the resource is within the HIPAA-compliant scope and requires EBS default encryption to be enabled.

Necessary Codes:

There are no specific codes required for enabling EBS default encryption. However, you can use the AWS Command Line Interface (CLI) to check and enable the default encryption on AWS.

Remediation Steps:

Follow these steps to remediate the issue and enable EBS default encryption:

  2. 1.
    Open the AWS Management Console.
  4. 2.
    Go to the Amazon EC2 service.
  6. 3.
    Select the appropriate region from the region selector.
  8. 4.
    In the navigation panel, click on "EBS."
  10. 5.
    Identify the volumes that require encryption and are non-compliant with the HIPAA requirements.
  12. 6.
    Select the volume that needs to be encrypted.
  14. 7.
    Click on the "Actions" button and choose "Modify Volume."
  16. 8.
    In the "Modify Volume" dialog box, enable the "Enable Encryption" option.
  18. 9.
    Click on "Save" to apply the changes.
  20. 10.
    Repeat the above steps for all the non-compliant volumes requiring default encryption.

Please note that enabling default encryption on existing volumes may trigger a background process to create new encrypted replicas, which may take some time depending on the volume size and workload.

CLI Command:

To enable default encryption for EBS volumes using the AWS CLI, you can use the following command:

aws ec2 modify-default-option-group --region <region-name> --default-option-group-arn <option-group-arn>

Replace 

<region-name>
with the appropriate region code (e.g., us-east-1) and 
<option-group-arn>
with the ARN of the desired option group supporting default encryption. The option group ARN can be obtained from the AWS Management Console or by using the CLI 
describe-option-groups
command.

Conclusion:

Enabling EBS default encryption ensures that all newly created EBS volumes within the specified region and scope will be automatically encrypted, complying with HIPAA standards for protecting sensitive healthcare information. Regularly verifying and maintaining the default encryption status of EBS volumes helps maintain a secure and compliant environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now