More Info:

Ensure that all your Amazon Elastic Block Store (EBS) volumes are encrypted in order to meet security and compliance requirements. With encryption enabled, your EBS volumes can hold sensitive, confidential, and critical data. The data encryption and decryption process is handled transparently and does not require any additional action from you, your server instance, or your application.

Risk Level

Medium

Address

Security

Compliance Standards

CBP, HIPAA, ISO27001, AWSWAF, SOC2, GDPR, NISTCSF, PCIDSS

Remediation

How to enable EBS volume encryption for EC2 instances

Using AWS Console

  1. Open the AWS Management Console and navigate to the EC2 dashboard.
  2. Select the EC2 instance for which you want to enable EBS volume encryption. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “Enable Volume Encryption” Policy.)
  3. Stop the instance by selecting it and clicking on the “Instance State” dropdown menu and selecting “Stop”.
  4. Once the instance is stopped, select the instance and click on the “Actions” dropdown menu and select “Create Image”. This will create an Amazon Machine Image (AMI) of the instance.
  5. Once the AMI is created, select it and click on the “Launch” button.
  6. In the “Step 1: Choose an Instance Type” section, select the instance type that you want to launch.
  7. In the “Step 2: Configure Instance Details” section, configure the instance details as per your requirements.
  8. In the “Step 3: Add Storage” section, select the “Encrypt this volume” checkbox for each EBS volume that you want to encrypt.
  9. In the “Step 4: Add Tags” section, add any tags that you want to apply to the instance.
  10. In the “Step 5: Configure Security Group” section, configure the security group as per your requirements.
  11. In the “Step 6: Review Instance Launch” section, review the instance details and click on the “Launch” button.
  12. In the “Select an existing key pair or create a new key pair” dialog box, select an existing key pair or create a new key pair.
  13. Once the instance is launched, start the instance by selecting it and clicking on the “Instance State” dropdown menu and selecting “Start”.
  14. Once the instance is running, you can verify that the EBS volumes are encrypted by selecting the instance and clicking on the “Description” tab. In the “Block devices” section, you will see that the EBS volumes are encrypted.

Additional Reading: