Rule: EBS Default Encryption Should Be Enabled
This rule ensures that EBS default encryption is enabled to protect data at rest.
| Rule | EBS default encryption should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
According to NIST 800-53 Revision 5 guidelines, it is recommended to enable default encryption for Amazon Elastic Block Store (EBS) volumes to enhance data security and protect against unauthorized access. This rule ensures that all newly created EBS volumes are automatically encrypted using AWS Key Management Service (KMS) managed keys.
Enabling default encryption provides an additional layer of protection by encrypting data at rest, helping organizations meet compliance requirements and safeguard sensitive information.
Troubleshooting Steps
If default encryption for EBS volumes is not enabled, follow these troubleshooting steps:
- 1.
Validate EBS Encryption Status:
- Go to the AWS Management Console.
- Navigate to the EC2 service.
- Select "Volumes" from the left-hand menu.
- Check the "Encryption" column to verify the encryption status of each volume.
- If the "Encryption" column shows "Not Encrypted" for any volume, default encryption is not enabled.
- 2.
Verify AWS Key Management Service (KMS) Configuration:
- Go to the AWS Management Console.
- Navigate to the IAM service and select "Encryption keys" from the left-hand menu.
- Check if there is an existing KMS key configured for default EBS encryption.
- If no KMS key is configured, create a new KMS key specifically for EBS encryption.
- 3.
Enable Default Encryption for EBS Volumes:
- Open the AWS Command Line Interface (CLI) or AWS CloudShell.
- Use the following AWS CLI command to enable default encryption:
aws ec2 enable-ebs-encryption-by-default - Wait for the command to complete and validate that default encryption is now enabled by checking the encryption status of newly created EBS volumes.
Remediation Steps
To enable default encryption for EBS volumes:
- 1.
Open the AWS Command Line Interface (CLI) or AWS CloudShell.
- 2.
Use the following AWS CLI command to enable default encryption:
aws ec2 enable-ebs-encryption-by-default - 3.
Wait for the command to complete and validate that default encryption is now enabled by checking the encryption status of newly created EBS volumes.
Note: Enabling default encryption will only affect newly created EBS volumes. Existing unencrypted EBS volumes will not be automatically encrypted. Those volumes need to be manually encrypted, or the data should be migrated to newly created encrypted volumes.
Additional Information
- Enabling default encryption for EBS volumes aligns with best practices for data protection and security compliance.
- Default encrypted EBS volumes ensure data confidentiality and minimize the risk of exposure in case of unauthorized access or data breaches.
- It is recommended to regularly audit and monitor the encryption status of EBS volumes to ensure ongoing compliance with the default encryption policy.