2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions

Information

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.

Rationale:

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Impact:

Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.

Solution

From Console:

Login to AWS Management Console and open the Amazon EC2 console using https://console.aws.amazon.com/ec2/

Under Account attributes, click EBS encryption.

Click Manage.

Click the Enable checkbox.

Click Update EBS encryption

Repeat for every region requiring the change.

Note: EBS volume encryption is configured per region.
From Command Line:

Run

aws --region <region> ec2 enable-ebs-encryption-by-default

Verify that 'EbsEncryptionByDefault': true is displayed.

Repeat every region requiring the change.

Note: EBS volume encryption is configured per region.

See Also

https://workbench.cisecurity.org/benchmarks/14207

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: amazon_aws

Control ID: 20a5279b782c003ac33c3df6ba3f4b10451b973db4571680a1896ba28df3fb40