1.6 Ensure all EBS volumes for App-Tier are encrypted

Information

Elastic Block Storage (EBS) volumes can be encrypted using AWS Key Management Service (KMS). In this configuration, encryption and decryption are handled transparently and require no additional action from the user, an Amazon EC2 instance, or application. When an encrypted Amazon EBS volume is attached to a supported Amazon EC2 instance type, the data stored at rest on the volume, disk I/O, and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host Amazon EC2 instances. Additionally, snapshots of encrypted volumes are automatically encrypted, and volumes that are created from encrypted snapshots are also automatically encrypted. It is recommended that all EBS volumes for the app tier be encrypted.
Enabling encryption on EBS volumes will help ensure the confidentiality of data stored on those volumes.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Using the Amazon unified command line interface:

* Note all the volume id's of unencrypted EBS volumes and create a snapshot for each of them:

aws ec2 create-snapshot --volume-id _<unencrypted_ebs_volume>_ --description "Snapshot for encryption operation"

* Note the SnapshotIdelement from the output of step 1 and copy the snapshot to an encrypted snapshot using the KMS key created for the Web-tier:

aws ec2 copy-snapshot --source-region _<application_region>_ --source-snapshot-id _<unencrypted_ebs_snapshot>_ --description "Encrypted snapshot." --encrypted --kms-key-id <app_tier_kms_key>

*

Note the SnapshotId element from the output of step 2 and create a new EBS volume from the encrypted snapshot in the same Availability Zone as the unencrypted volume:

aws ec2 create-volume --availability-zone _<application_az>_ --snapshot-id <encrypted_ebs_snapshot>

* Tag the newly created EBS volume using the Volume Id from the previous step_ <encrypted_ebs_volume>:_


aws ec2 create-tags --resources <encrypted_ebs_volume> --tags Key=<app_tier_tag>,Value=<app_tier_tag_value>

* Delete unencrypted EBS volume:

aws ec2 delete-volume --volume-id <unencrypted_ebs_volume>

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28(1)

Plugin: amazon_aws

Control ID: 1d9e8120c5652669e3d0d68720ed73cb745217e27f2d4fbeee664612b3d2b2db