Control: 2.2.1 Ensure EBS volume encryption is enabled
Description
Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
Remediation
From Console:
- Login to the EC2 console using https://console.aws.amazon.com/ec2/.
- Under
Account attributes, clickEBS encryption. - Click
Manage. - Click the
Enablecheckbox. - Click
Update EBS encryption. - Repeat for every region requiring the change.
Note EBS volume encryption is configured per region.
From Command Line:
- Run
aws --region <region> ec2 enable-ebs-encryption-by-default
- Verify that
"EbsEncryptionByDefault": trueis displayed. - Repeat every region requiring the change.
Note EBS volume encryption is configured per region.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_2_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_2_2_1 --shareSQL
This control uses a named query:
select 'arn:' || partition || '::' || region || ':' || account_id as resource, case when not default_ebs_encryption_enabled then 'alarm' else 'ok' end as status, case when not default_ebs_encryption_enabled then region || ' EBS encryption by default disabled.' else region || ' EBS encryption by default enabled.' end as reason , region, account_idfrom aws_ec2_regional_settings;