Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure Rule: EBS Default Encryption Enabled

Check if EBS default encryption is enabled to enhance data security.

RuleEBS default encryption should be enabled
FrameworkNIST 800-53 Revision 5
Severity
Medium

Rule Description

EBS default encryption should be enabled for compliance with NIST 800-53 Revision 5. This rule ensures that any new EBS volumes created in AWS are automatically encrypted to protect sensitive data at rest in the cloud environment.

Troubleshooting

If EBS default encryption is not enabled, the following troubleshooting steps may be helpful:

  2. 1.
    Verify the current encryption status of EBS volumes by reviewing the AWS Management Console or using the AWS Command Line Interface (CLI) with the 
    describe-volumes
    command.
  4. 2.
    Check the default encryption setting in AWS account settings to determine if it is enabled or disabled.
  6. 3.
    Review the IAM policies attached to your AWS account to verify that the necessary permissions are granted to enable EBS default encryption.

Code

Here is an example AWS CloudFormation code snippet that enables EBS default encryption:

Resources:
  MyDefaultEncryption:
    Type: "AWS::EBS::DefaultKmsKey"
    Properties:
      KeyArn: "arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-1234567890ab"

Replace 

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-1234567890ab"
with the ARN (Amazon Resource Name) of the desired AWS Key Management Service (KMS) key.

Remediation Steps

To enable EBS default encryption, follow these steps:

  2. 1.
    Open the AWS Management Console.
  4. 2.
    Navigate to the Amazon EC2 service.
  6. 3.
    In the left navigation pane, click on "Account attributes".
  8. 4.
    Locate the "EBS default encryption" attribute and click on "Edit".
  10. 5.
    Select the desired AWS Key Management Service (KMS) key from the dropdown menu.
  12. 6.
    Click on "Save".

Alternatively, you can use the AWS CLI to enable EBS default encryption by running the following command:

aws ec2 modify-account-attribute --account-attribute-name defaultEncryption --default-encryption-enabled

Ensure that you have the necessary IAM permissions to modify account attributes.

Conclusion

Enabling EBS default encryption ensures that all new EBS volumes are automatically encrypted, providing an extra layer of data protection in accordance with NIST 800-53 Revision 5. By following the remediation steps provided, you can ensure compliance and enhance the security of your AWS environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now