🛡️ AWS EBS Attached Volume is not encrypted🟢

• Contextual name: 🛡️ EBS Attached Volume is not encrypted🟢
• ID: /ce/ca/aws/ec2/ebs-volume-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EBS Volume
  • 🔌 AWS EBS Volume - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest

Description

Open File

Description

Ensure that all attached AWS EBS volumes are encrypted at rest using AWS-managed or customer-managed keys. Encryption provides a critical layer of data protection and should be enforced for all in-use volumes.

Rational

Encrypting EBS volumes at rest helps safeguard sensitive data from unauthorized access in the event of physical compromise or internal misuse. Enforcing encryption for all attached volumes ensures that data is protected during operation and aligns with security best practices and compliance requirements.

Audit

This policy flags an AWS EBS Volume as INCOMPLIANT if the Encrypted checkbox is set to false and the Volume is currently attached to an EC2 instance.

Volumes that are not attached to any instance are marked as INAPPLICABLE.

Remediation

Open File

Remediation

AWS EBS does not support in-place encryption of existing unencrypted volumes. To encrypt an unencrypted volume, you must create a snapshot of the volume and then use that snapshot to create a new encrypted volume.

Optionally, you can enable encryption by default to ensure that all future EBS volumes are automatically encrypted, including those created from unencrypted snapshots.

From Command Line

Enable Default Encryption

This ensures that all new volumes created in the specified region are encrypted by default:

aws ec2 enable-ebs-encryption-by-default --region {{region}}

Create a Snapshot of the Unencrypted Volume

aws ec2 create-snapshot \
    --volume-id {{volume-id}} \
    --description "{{Snapshot description}}"

Wait until the snapshot status is completed before proceeding.

Create a New Encrypted Volume from the Snapshot

aws ec2 create-volume 
    --snapshot-id {{snapshot-id}}
    --availability-zone {{us-east-1a}}
    --encrypted

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest			1		no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			17		no data
💼 Cloudaware Framework → 💼 Data Encryption			57		no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			13		no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			13		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	34		no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	32		no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	21		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			34		no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		32		no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			34		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		32		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			21		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			164		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			140		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			156		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			32		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		23		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	33		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	21		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			20		no data