v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 7 EBS default encryption should be enabled

Description

This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled.

When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data. For more information, see Encryption by default in the Amazon EC2 User Guide for Linux Instances.

Note that following instance types do not support encryption: R1, C1, and M1.

Remediation

You can use the Amazon EC2 console to enable default encryption for Amazon EBS volumes.

To configure the default encryption for Amazon EBS encryption for a Region

  1. Open the Amazon EC2 console at.
  2. From the navigation pane, select EC2 Dashboard.
  3. In the upper-right corner of the page, choose Account Attributes, EBS encryption.
  4. Choose Manage.
  5. Select Enable. You can keep the AWS managed CMK with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed CMK.
  6. Choose Update EBS encryption.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_7 --share

SQL

This control uses a named query:

ebs_encryption_by_default_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_at_rest
foundational_security_item_id = ec2_7
plugin = aws
service = AWS/EC2