Ensure that a managed Config rule for Amazon EBS encrypted volumes is created for your app tier. AWS Config tracks changes within your app-tier resources configuration and saves the recorded data to log files on S3, logs that can be useful for security and compliance audits. A managed Config rule is a predefined and customizable rule that AWS Config uses to evaluate whether your app-tier resources (i.e. EBS volumes) comply with common security best practices. This conformity rule assumes that all the AWS resources available in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the conformity rule settings, on the Cloud Conformity account dashboard.
Evaluate the configuration of your app-tier EBS volumes in order to ensure that encryption at rest is enabled, as the required managed Config rule can determine how your EBS resources have been configured at a certain point in time and what relationships these had with other resources available within the app tier. Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
To determine if there is a managed Config rule that checks if your app-tier EBS volumes are encrypted, available in your AWS account, perform the following:
To create a managed AWS Config rule that periodically checks if your app-tier EBS volumes are encrypted, perform the following actions: