lacework-global-90
Ensure EBS Volumes are Encrypted
Description
An AWS EBS volume is a durable, block-level storage device that can be attached to an EC2 instance. EBS volumes can be used as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application. By default, these volumes are not encrypted.
Remediation
It is not possible to directly encrypt an unencrypted volume. We recommend creating a snapshot, then creating an encrypted volume from that snapshot. We recommend enabling encryption by default to encrypt new volumes and snapshots going forward.
To enable encryption by default for a Region
Log in to the AWS Management Console.
From the navigation bar, select the Region.
Click Services.
Click EC2.
Under Account Attributes, click EBS encryption.
Select Manage.
Select Enable under Always encrypt new EBS volumes.
Choose Update EBS encryption.
To create a snapshot using the console
Log in to the AWS Management Console.
Click Services.
Click EC2.
Choose Volumes under Elastic Block Store in the navigation pane.
Select a volume.
Under Actions, choose Create Snapshot.
Choose Create Snapshot.
To create an EBS volume from a snapshot using the console
Log in to the AWS Management Console.
Click Services.
Click EC2
Choose Volumes under Elastic Block Store in the navigation pane.
Choose Create Volume.
For Snapshot ID, start typing the ID or description of the snapshot to create a volume from, and choose from the list of suggested options.
(If not using encryption by default) Select Encrypt this volume.
Fill in applicable volume fields.
Choose Create Volume.