Information
Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.
Rationale:
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From Console:
Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/
Under Account attributes, click EBS encryption.
Click Manage.
Click the Enable checkbox.
Click Update EBS encryption
Repeat for every region requiring the change.
Note: EBS volume encryption is configured per region.
From Command Line:
Run
aws --region <region> ec2 enable-ebs-encryption-by-default.
Verify that 'EbsEncryptionByDefault': true is displayed.
Repeat every region requiring the change.
Note: EBS volume encryption is configured per region.