🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
26Dashboards
1161Controls
568Queries
2Variables
GitHub
Loading controls...

Control: 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions

Description

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Remediation

From Console:

  1. Log in to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/
  2. Under Account attributes, click EBS encryption.
  3. Click Manage.
  4. Click the Enable checkbox.
  5. Click Update EBS encryption
  6. Repeat for every region requiring the change.

Note: EBS volume encryption is configured per region.

From Command Line:

  1. Run
aws --region <region> ec2 enable-ebs-encryption-by-default.
  1. Verify that EbsEncryptionByDefault: true is displayed.
  2. Repeat every region requiring the change.

Note: EBS volume encryption is configured per region.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v300_2_2_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v300_2_2_1 --share

SQL

This control uses a named query:

ebs_volume_encryption_at_rest_enabled

Tags

category = Compliance
cis = true
cis_item_id = 2.2.1
cis_level = 1
cis_section_id = 2.2
cis_type = automated
cis_version = v3.0.0
plugin = aws
service = AWS/EBS