Skip to main content

πŸ“ AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟒

  • Contextual name: πŸ“ EBS Volume Encryption Attribute is not enabled in all regions 🟒
  • ID: /ce/ca/aws/account/ebs-volume-encryption-attribute-in-all-regions
  • Located in: πŸ“ AWS Account

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-0bdcd2761

Logic​

Description​

Open File

Description​

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.

Rationale​

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Impact​

Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.

Audit​

From Console​
  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/.
  2. Under Account attributes, click EBS encryption.
  3. Verify Always encrypt new EBS volumes displays Enabled.
  4. Review every region in-use.

Note: EBS volume encryption is configured per region.

From Command Line​
  1. Run:
aws --region <region> ec2 get-ebs-encryption-by-default
  1. Verify that "EbsEncryptionByDefault": true is displayed.
  2. Review every region in-use.

Note: EBS volume encryption is configured per region.

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/
  2. Under Account attributes, click EBS encryption.
  3. Click Manage.
  4. Click the Enable checkbox.
  5. Click Update EBS encryption
  6. Repeat for every region requiring the change.

Note: EBS volume encryption is configured per region.

From Command Line​

  1. Run
aws --region <region> ec2 enable-ebs-encryption-by-default
  1. Verify that "EbsEncryptionByDefault": true is displayed.
  2. Repeat every region requiring the change.

Note: EBS volume encryption is configured per region.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52c appropriate encryption, cleansing and auditing of devices;99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2122
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.7] EBS default encryption should be enabled11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 2.2.1 Ensure EBS volume encryption is enabled11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 2.2.1 Ensure EBS volume encryption is enabled11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 5.1.1 Ensure EBS volume encryption is enabled in all regions (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 5.1.1 Ensure EBS volume encryption is enabled in all regions (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 5.1.1 Ensure EBS volume encryption is enabled in all regions (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption37
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2425
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1622
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1722
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)512
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)22
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)122
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)22
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)122
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1819
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.33 Protection of records1015
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1528
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4666
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected110
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected91
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected104
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-13 CRYPTOGRAPHIC PROTECTION422
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains2931
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks18
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection411
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31523
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1012
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection10
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.712
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-10 Uses Encryption to Protect Data611