Skip to main content

πŸ“ AWS EBS Attached Volume is not encrypted 🟒

  • Contextual name: πŸ“ EBS Attached Volume is not encrypted 🟒
  • ID: /ce/ca/aws/ec2/ebs-volume-encryption
  • Located in: πŸ“ AWS EC2

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Ensure that all attached AWS EBS volumes are encrypted at rest using AWS-managed or customer-managed keys. Encryption provides a critical layer of data protection and should be enforced for all in-use volumes.

Rational​

Encrypting EBS volumes at rest helps safeguard sensitive data from unauthorized access in the event of physical compromise or internal misuse. Enforcing encryption for all attached volumes ensures that data is protected during operation and aligns with security best practices and compliance requirements.

Audit​

This policy flags an AWS EBS Volume as INCOMPLIANT if the Encrypted checkbox is set to false and the Volume is currently attached to an EC2 instance.

Volumes that are not attached to any instance are marked as INAPPLICABLE.

Remediation​

Open File

Remediation​

AWS EBS does not support in-place encryption of existing unencrypted volumes. To encrypt an unencrypted volume, you must create a snapshot of the volume and then use that snapshot to create a new encrypted volume.

Optionally, you can enable encryption by default to ensure that all future EBS volumes are automatically encrypted, including those created from unencrypted snapshots.

From Command Line​

Enable Default Encryption​

This ensures that all new volumes created in the specified region are encrypted by default:

aws ec2 enable-ebs-encryption-by-default --region {{region}}
Create a Snapshot of the Unencrypted Volume​
aws ec2 create-snapshot \
    --volume-id {{volume-id}} \
    --description "{{Snapshot description}}"

Wait until the snapshot status is completed before proceeding.

Create a New Encrypted Volume from the Snapshot​
aws ec2 create-volume 
    --snapshot-id {{snapshot-id}}
    --availability-zone {{us-east-1a}}
    --encrypted

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption42
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1624
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1724
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)514
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks20
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection413
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31625
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1014
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection12