Ensure that all Amazon Elastic Block Store (EBS) volumes attached to EC2 instances provisioned within the app tier are encrypted, in order to meet security and compliance requirements. When an encrypted AWS EBS volume is attached to a app-tier EC2 instance, the data stored at rest on the volume, disk I/O and all the snapshots taken from the volume is encrypted. The encryption/decryption process is handled transparently and does not require any additional action from you, your instance, or your application. The encryption keys used to encrypt your app-tier data are entirely managed and protected by Amazon Key Management Service (KMS). This conformity rule assumes that all the AWS resources available within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be identified and configured within the rule settings, on the Cloud Conformity dashboard.
With encryption enabled, your app-tier EBS volumes can safely store sensitive data and ensure confidentiality. Cloud Conformity strongly recommends that all Amazon EBS volumes provisioned for the app tier should be encrypted in order to protect sensitive data from attackers or unauthorized users. Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
To determine if all your app-tier EBS volumes are encrypted, perform the following actions:
To enable data encryption for the AWS EBS volumes provisioned within your app tier, you need to re-create them with the right encryption configuration. To encrypt the necessary app-tier EBS resources, perform the following actions: