5.11 Ensure an AWS Managed Config Rule for encrypted volumes is applied to App Tier - KMS ID

Information

AWS Config provides you with a detailed inventory of your AWS resources and their current configuration, and continuously records configuration changes to these resources.

You can evaluate these configurations and changes for compliance with ideal configurations as defined by AWS Config Rules.
Evaluation of Elastic Block Storage volume configuration to ensure encryption at rest is enabled which have been tagged as App-Tier

Solution

Using the Amazon unified command line interface:

* Create locally a json file (similar with the below sample) with the configuration of the Config Rule, and save it as /tmp/ConfigRule.json:

{
"Description": "Checks whether App Tier EBS volumes that are in an attached state are encrypted.",
"ConfigRuleName": "encrypted-volumes-app-tier",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ENCRYPTED_VOLUMES"
},
"InputParameters": "{\"kmsId\":\"<_app_tier_kms_key>_\"}",
"Scope": {
"TagKey": "_<app_tier_tag_>",
"TagValue": "_<app_tier_tag_value>_"
}
}

* Create a Config Rule using the configuration saved earlier:

aws configservice put-config-rule --config-rule file:///tmp/ConfigRule.json

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28

Plugin: amazon_aws

Control ID: ad39fed9459edc73fd8c5d4fd2a032a09841bc31a16d93d6ce62fe13b6b2082b