Skip to content

Latest commit

 

History

History
38 lines (34 loc) · 3.98 KB

ebs-encryption-enabled.md

File metadata and controls

38 lines (34 loc) · 3.98 KB
Raw

CloudSploit

AWS / EC2 / EBS Encryption Enabled

Quick Info
Plugin Title EBS Encryption Enabled
Cloud AWS
Category EC2
Description Ensures EBS volumes are encrypted at rest
More Info EBS volumes should have at-rest encryption enabled through AWS using KMS. If the volume is used for a root volume, the instance must be launched from an AMI that has been encrypted as well.
AWS Link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Recommended Action Enable encryption for EBS volumes.

Detailed Remediation Steps

  1. Log in to the AWS Management Console.
  2. Select the "Services" option and search for EC2.
  3. Scroll down the left navigation panel and choose "Volumes".
  4. Select the "Volume" that needs to be verified and click on its name from the "Name" column.
  5. Scroll down the page and under "Details" check for "Encryption". If the "Encryption" option is showing "Not Encrypted" then the selected EBS Volume is not encrypted.
  6. Repeat the steps number 2 - 5 to check other EBS Volumes in the AWS region.
  7. Select the unencrypted "EBS Volume" that needs to be encrypted and click on the "Actions" button, on the top panel and click on the "Create Snapshot" option.
  8. Provide the description of the new snapshot in the "Create Snapshot" dialog box and click on the "Create Snapshot" button.
  9. Scroll down the left navigation panel and choose "Snapshots".
  10. Select the new "EBS Snapshot" created and click on the "Actions" button, on the top panel and click on the "Copy snapshot" option.
  11. In the "Copy Snapshot" dialog box select the box "Encrypt this snapshot" next to "Encryption" and choose the "KMS key" from the dropdown menu.
  12. Click on the "Copy snapshot" button to copy the selected "EBS Snapshot".
  13. Select the new EBS snapshot and click on the "Actions" button at the top panel and click on the "Create Volume from snapshot" option.
  14. In the "Create Volume" dialog box verify the "Encryption" option is enabled.
  15. Click on the "Create Volume" button to create the new "EBS Encrypted Volume".
  16. Scroll down the left navigation panel and click on the "Volumes".
  17. Select the volume that is not encrypted and click on the "Action" button at the top and click on the "Detach Volume".
  18. In the "Detach Volume" dialog box click on the "Detach" button.
  19. Select the newly encrypted EBS volume and click on the "Action" button at the top and click on the "Attach Volume".
  20. In the "Attach Volume" dialog box select the EC2 instance and device name for the attachment.
  21. Repeat steps number 7 - 20 to ensure "EBS Volume" encryption is enabled.