Rule: EBS Default Encryption Should Be Enabled
This rule ensures that EBS default encryption is enabled to secure data at rest.
| Rule | EBS default encryption should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that AWS Elastic Block Store (EBS) default encryption is enabled for compliance with the NIST 800-53 Revision 5 security standard. Enabling default encryption helps protect sensitive data at rest within EBS volumes. It ensures that all newly created EBS volumes are automatically encrypted using AWS Key Management Service (KMS) encryption keys.
Troubleshooting Steps:
If default encryption for EBS volumes is not enabled, follow these troubleshooting steps to remediate the issue:
- 1.Verify Encryption Status: Check the encryption status of the existing EBS volumes within your AWS account.
- 2.Check Default Encryption Setting: Verify if the default encryption setting is set to "Enabled" for EBS volumes.
- 3.Review Encryption Key Policy: Ensure that the AWS Key Management Service (KMS) encryption key policy allows encryption and decryption operations for the appropriate users or roles.
- 4.Check IAM Permissions: Confirm that the IAM roles and policies associated with the AWS account have the necessary permissions to enable default encryption for EBS volumes.
Necessary Code:
There is no explicit code required to enable default encryption for EBS volumes. However, you may need to use AWS CLI commands to update the default encryption setting and verify the encryption status of your EBS volumes.
Example CLI commands are provided below.
Enable Default Encryption for EBS volumes:
$ aws ec2 modify-default-credit-specification --region <region-name> --enable-default-encryption
Verify Encryption Status of EBS volumes:
$ aws ec2 describe-volumes --region <region-name> --query "Volumes[*].{ID:VolumeId, Encrypted:Encrypted}"
Remediation Steps:
Follow these step-by-step instructions to enable default encryption for EBS volumes:
- 1.
Verify Default Encryption Status:
- Run the following AWS CLI command to check the default encryption status:
$ aws ec2 describe-account-attributes --query "AccountAttributes[?AttributeName=='default-vpc'].AttributeValues[0].AttributeValue"- If the output is
, default encryption is already enabled. Proceed to the next step. If it istrue
, continue with the remediation steps.false
- 2.
Enable Default Encryption:
- Execute the following AWS CLI command to enable default encryption for EBS volumes:
$ aws ec2 modify-default-credit-specification --region <region-name> --enable-default-encryption- Replace
with the appropriate AWS region where you want to enable default encryption.<region-name> - This command sets the default encryption attribute to
.true
- 3.
Verify Encryption Status of EBS volumes:
- Run the below AWS CLI command to verify the encryption status of existing EBS volumes:
$ aws ec2 describe-volumes --region <region-name> --query "Volumes[*].{ID:VolumeId, Encrypted:Encrypted}"- Replace
with the appropriate AWS region.<region-name> - Check the output. If all EBS volumes have the
value asEncrypted
, default encryption is successfully enabled. Otherwise, proceed to the next step.true
- 4.
Troubleshoot Encryption Issues:
- If the encryption status for some or all EBS volumes is not
, check the AWS Key Management Service (KMS) encryption key policy to ensure it allows encryption and decryption operations. Adjust the policy if necessary.true - Confirm that the IAM roles and policies associated with the AWS account have the necessary permissions to enable default encryption for EBS volumes.
- Repeat steps 1 and 3 to verify the encryption status after making any policy or permission changes.
By following these steps, you can ensure that default encryption is enabled for EBS volumes in accordance with NIST 800-53 Revision 5 compliance requirements.