Skip to main content

πŸ›‘οΈ AWS Account EBS Volume Encryption Attribute is not enabled in all regions🟒

  • Contextual name: πŸ›‘οΈ EBS Volume Encryption Attribute is not enabled in all regions🟒
  • ID: /ce/ca/aws/account/ebs-volume-encryption-attribute-in-all-regions
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Stats​

not available

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-0bdcd2761

Description​

Open File

Description​

Elastic Block Store (EBS) encryption by default should be enabled in every active AWS Region so new EBS volumes are encrypted automatically at creation.

Rationale​

Encrypting EBS volumes at rest reduces the likelihood that stored data is unintentionally exposed and can reduce the impact of unauthorized access to the underlying storage.

Impact​

Losing access to or deleting the KMS key used by EBS volumes can make the volumes inaccessible.

Audit​

From Console​
  1. Sign in to the AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/.
  2. Under Account attributes, click EBS encryption.
  3. Verify Always encrypt new EBS volumes displays Enabled.
  4. Review every active region.

Note: EBS volume encryption is configured per region.

From Command Line​

  1. Run:

    aws --region {{region-name}} ec2 get-ebs-encryption-by-default

  2. Verify that "EbsEncryptionByDefault": true is displayed.

  3. Review every active region.

Note: EBS volume encryption is configured per region.

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Sign in to the AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/.
  2. Under Account attributes, click EBS encryption.
  3. Click Manage.
  4. Select the Enable checkbox.
  5. Click Update EBS encryption.
  6. Repeat for every region requiring the change.

Note: EBS volume encryption is configured per region.

From Command Line​

  1. Run:

    aws --region {{region}} ec2 enable-ebs-encryption-by-default

  2. Verify that "EbsEncryptionByDefault": true is displayed.

  3. Repeat for every region requiring the change.

Note: EBS volume encryption is configured per region.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52c appropriate encryption, cleansing and auditing of devices;1212no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2324no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.7] EBS default encryption should be enabled11no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP02 Enforce encryption at rest20no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP03 Automate data at rest protection2no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 2.2.1 Ensure EBS volume encryption is enabled11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 2.2.1 Ensure EBS volume encryption is enabled11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 5.1.1 Ensure EBS volume encryption is enabled in all regions (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 5.1.1 Ensure EBS volume encryption is enabled in all regions (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 5.1.1 Ensure EBS volume encryption is enabled in all regions (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 6.1.1 Ensure EBS volume encryption is enabled in all regions (Automated)1no data
πŸ’Ό CIS AWS v7.0.0 β†’ πŸ’Ό 6.1.1 Ensure EBS volume encryption is enabled in all regions (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption65no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2829no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1643no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1738no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)526no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)138no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)26no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)138no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)26no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1920no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1116no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1530no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented5498no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected167no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-13 CRYPTOGRAPHIC PROTECTION422no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3335no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks54no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection432no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31939no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1126no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection27no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.712no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.14no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.914no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-10 Uses Encryption to Protect Data611no data