Control: 6.1.1 Ensure EBS volume encryption is enabled in all regions
Description
Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.
Remediation
From Console:
- Login to the AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/.
- Under
Account attributes
, clickData protection and security.
- Under
EBS encryption
, ClickManage
. - Check the
Enable
box to default encryption. - Click
Update EBS encryption.
- Repeat for each region in which EBS volume encryption is not enabled by default.
Note: EBS volume encryption is configured per region.
From Command Line:
- Run the following command:
aws --region <region> ec2 enable-ebs-encryption-by-default
- Verify that
"EbsEncryptionByDefault": true
is displayed. - Repeat for each region in which EBS volume encryption is not enabled by default.
Note: EBS volume encryption is configured per region.
Default Value:
By default, EBS volume encryption is disabled. It must be manually enabled per region; otherwise, new EBS volumes are created unencrypted.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_6_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_6_1_1 --share
SQL
This control uses a named query:
select 'arn:' || partition || '::' || region || ':' || account_id as resource, case when not default_ebs_encryption_enabled then 'alarm' else 'ok' end as status, case when not default_ebs_encryption_enabled then region || ' EBS encryption by default disabled.' else region || ' EBS encryption by default enabled.' end as reason , region, account_idfrom aws_ec2_regional_settings;