🛡️ AWS EBS Snapshot is not encrypted🟢

• Contextual name: 🛡️ EBS Snapshot is not encrypted🟢
• ID: /ce/ca/aws/ec2/ebs-snapshot-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EBS Snapshot
  • 🔌 AWS EBS Snapshot - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
• Cloud Conformity: EBS Snapshot Encrypted

Description

Open File

Description

This policy identifies AWS EBS snapshots that are not encrypted. EBS snapshots can contain sensitive or critical data, and enabling encryption helps protect this data at rest. Snapshot encryption is handled transparently by AWS and does not require any changes to your server instances or applications.

Rationale

Encrypting EBS snapshots ensures that data is protected from unauthorized access. If an unencrypted snapshot is shared or accessed by an unauthorized entity, the data it contains may be exposed.

EBS snapshot encryption uses the AES-256 encryption algorithm and is fully managed by AWS through the Amazon Key Management Service (KMS), ensuring secure key storage and access control.

Audit

This policy flags an AWS EBS Snapshot as INCOMPLIANT if the Encrypted field is set to false.

Remediation

Open File

Remediation

Encrypt an Existing EBS Snapshot

From Console

1. Sign in to the AWS Management Console.

2. Navigate to the Amazon EC2 dashboard.

3. In the left navigation pane, under Elastic Block Store, choose Snapshots.

4. Select the unencrypted EBS snapshot to be encrypted.

5. Choose Actions from the top menu and select Copy snapshot.

6. In the Copy snapshot dialog, perform the following:

   • Select the Destination Region where the encrypted copy will be created.

   • (Optional) Update the snapshot Description.

   • Select Encrypt this snapshot.

   • Choose the KMS key to use for encryption.

     • If no customer-managed KMS keys are available, select the default key (default) aws/ebs.

   • Choose Copy snapshot to start the encryption process.

7. Once the encrypted snapshot copy is created, verify its status on the Snapshots page.

8. After confirming the encrypted snapshot is available, delete the original unencrypted snapshot:

   • Select the unencrypted snapshot.
   • Choose Actions → Delete snapshot.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest			3		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			17		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			18		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	36		no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	25		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27		no data