lacework-global-51
2.2.1 Enable volume encryption for Elastic Block Store (EBS) (Automated)
Profile Applicability
• Level 1
Description
Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While turned off by default, you can force encryption at EBS volume creation.
Rationale
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
Audit
From Console
- Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/
- Under
Account attributes, clickEBS encryption. - Verify
Always encrypt new EBS volumesdisplaysEnabled. - Review every region in-use.
EBS volume encryption is configured per region.
From Command Line
- Run
aws --region <region> ec2 get-ebs-encryption-by-default
- Verify that
"EbsEncryptionByDefault": trueis displayed. - Review every region in-use.
EBS volume encryption is configured per region.
Remediation
From Console
- Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/.
- Under
Account attributes, clickEBS encryption. - Click
Manage. - Click the
Enablecheckbox. - Click
Update EBS encryption. - Repeat for every region requiring the change.
Configure EBS volume encryption per region.
From Command Line
- Run
aws --region <region> ec2 enable-ebs-encryption-by-default
- Verify that the command returns
"EbsEncryptionByDefault": true. - Repeat for every region requiring the change.
- Configure EBS volume encryption per region.
- You can utilize Lacework's remediation template to resolve violations of this policy. See Remediation Templates.
References
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/
Additional Information
Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are not converted automatically.