Control: 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions
Description
Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store(EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.
Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are not converted automatically.
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
Remediation
From Console
- Open the Amazon EC2 console using EC2
- Under Account attributes, click
EBS encryption
. - Click Manage.
- Click the
Enable
checkbox. - Click
Update EBS encryption
- Repeat for every region requiring the change.
From Command Line
- Run
aws --region <region> ec2 enable-ebs-encryption-by-default.
- Verify that EbsEncryptionByDefault: true is displayed.
- Review every region in-use.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v150_2_2_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v150_2_2_1 --share
SQL
This control uses a named query:
ebs_encryption_by_default_enabled