Ensure a managed Config rule for EBS encrypted volumes is created for your web tier. AWS Config tracks changes within your web-tier resources configuration and saves the recorded data to log files which can be useful for security and compliance audits or for troubleshooting. A managed Config rule is a predefined, customizable rule, that the Config service uses to evaluate whether your web-tier resources comply with common security best practices. This conformity rule assumes that all the AWS resources within your web tier (including AWS EBS volumes) are already tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be known and configured in the conformity rule settings, on the Cloud Conformity account dashboard.
Evaluate the configuration of your web-tier EBS volumes in order to ensure that encryption at rest is enabled, as the required managed Config rule can determine how your EBS resources have been configured at a certain point in time and what relationships these had with other resources (e.g. KMS CMKs) available in the web tier. Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if there is a managed Config rule that checks if your web-tier EBS volumes are encrypted, available in your AWS account, perform the following:
To create a managed AWS Config rule that periodically checks if your web-tier EBS volumes are encrypted, perform the following actions: