Skip to main content

lacework-global-51

2.2.1 Ensure EBS volume encryption is enabled (Automated)

Profile Applicability

• Level 1

Description

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.

Rationale

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Audit

From Console

  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/
  2. Under Account attributes, click EBS encryption.
  3. Verify Always encrypt new EBS volumes displays Enabled.
  4. Review every region in-use.
note

EBS volume encryption is configured per region.

From Command Line

  1. Run
aws --region <region> ec2 get-ebs-encryption-by-default
  1. Verify that "EbsEncryptionByDefault": true is displayed.
  2. Review every region in-use.
note

EBS volume encryption is configured per region.

Remediation

From Console

  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/
  2. Under Account attributes, click EBS encryption.
  3. Click Manage.
  4. Click the Enable checkbox.
  5. Click Update EBS encryption
  6. Repeat for every region requiring the change.
note

EBS volume encryption is configured per region.

From Command Line

  1. Run
aws --region <region> ec2 enable-ebs-encryption-by-default
  1. Verify that "EbsEncryptionByDefault": true is displayed.
  2. Repeat every region requiring the change.
note

EBS volume encryption is configured per region.

References

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/

Additional Information

Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are not converted automatically.