Plugin Title | EBS Encryption Enabled |
Cloud | AWS |
Category | EC2 |
Description | Ensures EBS volumes are encrypted at rest |
More Info | EBS volumes should have at-rest encryption enabled through AWS using KMS. If the volume is used for a root volume, the instance must be launched from an AMI that has been encrypted as well. |
AWS Link | http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html |
Recommended Action | Enable encryption for EBS volumes. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for EC2.
- Scroll down the left navigation panel and choose "Volumes".
- Select the "Volume" that needs to be verified and click on its name from the "Name" column.
- Scroll down the page and under "Details" check for "Encryption". If the "Encryption" option is showing "Not Encrypted" then the selected EBS Volume is not encrypted.
- Repeat the steps number 2 - 5 to check other EBS Volumes in the AWS region.
- Select the unencrypted "EBS Volume" that needs to be encrypted and click on the "Actions" button, on the top panel and click on the "Create Snapshot" option.
- Provide the description of the new snapshot in the "Create Snapshot" dialog box and click on the "Create Snapshot" button.
- Scroll down the left navigation panel and choose "Snapshots".
- Select the new "EBS Snapshot" created and click on the "Actions" button, on the top panel and click on the "Copy snapshot" option.
- In the "Copy Snapshot" dialog box select the box "Encrypt this snapshot" next to "Encryption" and choose the "KMS key" from the dropdown menu.
- Click on the "Copy snapshot" button to copy the selected "EBS Snapshot".
- Select the new EBS snapshot and click on the "Actions" button at the top panel and click on the "Create Volume from snapshot" option.
- In the "Create Volume" dialog box verify the "Encryption" option is enabled.
- Click on the "Create Volume" button to create the new "EBS Encrypted Volume".
- Scroll down the left navigation panel and click on the "Volumes".
- Select the volume that is not encrypted and click on the "Action" button at the top and click on the "Detach Volume".
- In the "Detach Volume" dialog box click on the "Detach" button.
- Select the newly encrypted EBS volume and click on the "Action" button at the top and click on the "Attach Volume".
- In the "Attach Volume" dialog box select the EC2 instance and device name for the attachment.
- Repeat steps number 7 - 20 to ensure "EBS Volume" encryption is enabled.