🛡️ AWS EBS Attached Volume is not encrypted with KMS CMK🟢

• Contextual name: 🛡️ EBS Attached Volume is not encrypted with KMS CMK🟢
• ID: /ce/ca/aws/ec2/ebs-volume-cmk-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EBS Volume
  • 🔌 AWS KMS Key - object.extracts.yaml
  • 🔌 AWS EBS Volume - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
• Cloud Conformity: EBS Encrypted With KMS Customer Master Keys

Description

Open File

Description

This policy identifies AWS EBS Volumes that are encrypted using AWS managed keys instead of AWS KMS customer-managed keys. Using customer-managed keys provides greater control over the encryption and decryption process for data stored on EBS volumes. When configured, KMS customer-managed keys are used to encrypt data at rest, EBS snapshots, and disk I/O.

Rationale

Using customer-managed KMS keys to protect EBS data enables granular control over key usage and access permissions, supporting the Principle of Least Privilege (PoLP). Amazon KMS allows you to create, rotate, disable, and audit customer-managed keys, improving governance and auditability of encryption key management.

Audit

This policy flags an AWS EBS Volume as INCOMPLIANT if either of the following conditions is met:

• No AWS KMS Key is associated with the volume, or
• The AWS KMS Key Manager is not CUSTOMER.

EBS volumes that are not attached to any instance are marked as INAPPLICABLE.

Unencrypted EBS volumes are addressed by the AWS EBS Attached Volume is not encrypted policy and are marked as INAPPLICABLE.

Remediation

Open File

Remediation

Encrypt Amazon EBS Volumes

To encrypt Amazon EBS volumes using AWS KMS customer-managed keys (CMKs), perform the following steps.

From Command Line

Create a customer-managed KMS key

KMS_KEY_ARN=$(aws kms create-key \
  --region {{region-name}} \
  --description "Customer-managed CMK for EBS volume encryption" \
  --query 'KeyMetadata.Arn' \
  --output text)

aws kms create-alias \
  --region {{region-name}} \
  --alias-name {{alias/ebs-encryption-cmk}} \
  --target-key-id $KMS_KEY_ARN

Re-create the EBS volume using the CMK

1. Create a snapshot of the source volume:

   aws ec2 create-snapshot \
   --region {{region-name}} \
   --volume-id {{volume-id}}

2. Copy the snapshot with encryption enabled:

   aws ec2 copy-snapshot \
   --region {{region-name}} \
   --source-region {{source-region}} \
   --source-snapshot-id {{snapshot-id}} \
   --encrypted \
   --kms-key-id {{kms-key-arn}}

3. Create a new volume from the encrypted snapshot:

   aws ec2 create-volume \

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest			3		no data
💼 AWS Well-Architected → 💼 SEC08-BP01 Implement secure key management			3		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			17		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			18		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	36		no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	25		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			25		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27		no data