Open menu
-->

Enable AWS EBS Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 09 April 2018
Security

Risk level: High (act today)

With encryption enabled, your EBS volumes can hold very sensitive and critical data. The EBS encryption and decryption is handled transparently and does not require any additional action from you, your server instance, or your application.

This rule resolution is part of the Cloud Conformity Base Auditing Package

When dealing with production data that is crucial to your business, it is highly recommended to implement encryption in order to protect it from attackers or unauthorized personnel. With Elastic Block Store encryption enabled, the data stored on the volume, the disk I/O and the snapshots created from the volume are all encrypted. The EBS encryption keys use AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure, through AWS Key Management Service (AWS KMS).

Audit

Case A: to determine if your EBS volumes are encrypted, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/

03 In the navigation panel, under Elastic Block Store, click Volumes.

04 Select your EBS volume.

05 Select the Description tab from the bottom panel.

06 Search for the Encrypted section: Encrypted section from the Description tab

07 If the volume encryption status is “Not Encrypted”:

Not Encrypted section from the Description tab

the EBS volume is not encrypted. To turn the feature on, the volume must be re-created with the encryption flag enabled.

Using AWS CLI

01 Run describe-volumes command (OSX/Linux/UNIX) to determine if your EC2 Elastic Block Store volume is encrypted. The next example command describes all volumes that are attached to an EC2 instance with the ID i-67988ffd:

aws ec2 describe-volumes
	--filters Name=attachment.instance-id, Values= i-67988ffd

02 The command output should reveal the instance EBS volume encryption status (true for enabled, false for disabled):

{
    "Volumes": [
        {
            "AvailabilityZone": "us-east-1a",
            "Attachments": [
                {
                    "AttachTime": "2016-04-04T16:51:00.000Z",
                    "InstanceId": "i-67988ffd",
                    "VolumeId": "vol-f0e0ee2e",
                    "State": "attached",
                    "DeleteOnTermination": true,
                    "Device": "/dev/xvda"
                }
            ],
            "Encrypted": false,
            "VolumeType": "gp2",
            "VolumeId": "vol-f0e0ee2e",
            "State": "in-use",
            "Iops": 90,
            "SnapshotId": "snap-12c47a84",
            "CreateTime": "2016-04-04T16:51:00.136Z",
            "Size": 30
        }
    ]
}

Case B: to determine if your EBS snapshots are encrypted, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, click Snapshots.

04 Select your EBS snapshot.

05 Select the Description tab from the bottom panel.

06 Search for the Encrypted section: Encrypted section from the Description tab

07 If the encryption status is “Not Encrypted”:

the EBS snapshot selected is not encrypted

the EBS snapshot selected is not encrypted.

Using AWS CLI

01 Run describe-snapshot command (OSX/Linux/UNIX) to determine if a certain EBS volume snapshot is encrypted. The next example command describes an EBS snapshot with the ID snap-12c47a84:

aws ec2 describe-snapshots
	--snapshot-id snap-12c47a84

02 The command output should return the EBS snapshot encryption status (true for enabled, false for disabled):

{
    "Snapshots": [
        {
            "OwnerAlias": "amazon",
            "Description": "amzn-ami-hvm-2016.03.0.x86_64",
            "Encrypted": false,
            "VolumeId": "vol-6a667644",
            "State": "completed",
            "Progress": "100%",
            "SnapshotId": "snap-12c47a84",
            "OwnerId": "137112412989"
        }
    ]
}

Remediation / Resolution

To enable encryption on your existing EBS volumes and snapshots, you need to re-create them and turn the encryption feature on. This can be done by performing the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, click Volumes.

04 Select your non-encrypted EBS volume.

05 Click the Actions dropdown button from the EBS dashboard top menu and select Create Snapshot:

Click the Actions dropdown button from the EBS dashboard top menu and select Create Snapshot

06 In the Create Snapshot dialog box, provide a name and a description for the snapshot (optional) and click Create:

In the Create Snapshot dialog box, provide a name and a description for the snapshot (optional) and click Create

07 In the navigation panel, under Elastic Block Store, click Snapshots.

08 Select your newly created EBS snapshot.

09 Click the Actions dropdown button from the EBS snapshot dashboard top menu and select Copy:

Click the Actions dropdown button from the EBS snapshot dashboard top menu and select Copy

10 In the Copy Snapshot dialog box, select Encrypt this snapshot checkbox:

In the Copy Snapshot dialog box, select Encrypt this snapshot checkbox

and click Copy:

In the Copy Snapshot dialog box, click Copy

11 Select the new (copied) EBS snapshot.

12 Click the Actions dropdown button from the EBS dashboard top menu and select Create Volume:

 Click the Actions dropdown button from the EBS dashboard top menu and select Create Volume

13 In the Create Volume dialog box, make sure the volume Encryption status is Encrypted:

In the Create Volume dialog box, make sure the volume Encryption status is Encrypted

and click Create:

In the Create Volume dialog box, click Create

14 Go back to the navigation panel and click Volumes.

15 Select the Volume that is notencrypted, then click the Actions dropdown button from the EBS dashboard top menu and select Detach Volume:

 Click the Actions dropdown button from the EBS dashboard top menu and select Detach Volume

16 In the Detach Volume dialog box click Yes, Detach:

In the Detach Volume dialog box click Yes, Detach

17 Select the newly encrypted EBS volume.

18 Click the Actions dropdown button from the EBS dashboard top menu and select Attach Volume:

Click the Actions dropdown button from the EBS dashboard top menu and select Attach Volume

19 In the Attach Volume dialog box enter your EC2 instance ID and the device name for attachment:

In the Attach Volume dialog box enter your EC2 instance ID and the device name for attachment

then click Attach:

In the Attach Volume dialog box Click Attach

Using AWS CLI

01 Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from your non-encrypted volume. The next example command describes an EBS volume with the ID vol-f0e0ee2e:

aws ec2 create-snapshot
	--volume-id vol-f0e0ee2e

02 The command output should reveal the EBS snapshot ID:

{
    "Description": "",
    "Encrypted": false,
    "VolumeId": "vol-f0e0ee2e",
    "State": "pending",
    "VolumeSize": 30,
    "Progress": "",
    "StartTime": "2016-04-04T18:37:42.000Z",
    "SnapshotId": "snap-33571226",
    "OwnerId": "123456789012"
}

03 Run copy-snapshot command (OSX/Linux/UNIX) to create an encrypted copy of the existent EBS snapshot using its ID in order to specify the data source:

aws
	--region us-east-1 ec2 copy-snapshot
	--source-region us-east-1
	--encrypted
	--source-snapshot-id snap-33571226

The command output should return the new encrypted EBS snapshot ID (snapshot copy):

{
    "SnapshotId": "snap-3b492a29"
}

04 Run create-volume command (OSX/Linux/UNIX) to create a new EBS volume from the encrypted snapshot. The next example command describes creating an EBS volume from a source snapshot with the ID snap-3b492a29:

aws ec2 create-volume
	--region us-east-1
	--availability-zone us-east-1a
	--snapshot-id snap-3b492a29
	--volume-type gp2 
	--encrypted

05 The command output should reveal the new encrypted EBS volume ID:

{
    "AvailabilityZone": "us-east-1a",
    "Encrypted": true,
    "VolumeType": "gp2",
    "VolumeId": "vol-dd313803",
    "State": "creating",
    "SnapshotId": "snap-3b492a29",
    "Size": 30
}

06 Run detach-volume command (OSX/Linux/UNIX) to detach the non-encrypted EBS volume. The next example command describes detaching an EBS volume with the ID vol-f0e0ee2e:

aws ec2 detach-volume
	--volume-id vol-f0e0ee2e

07 To attach the new encrypted EBS volume to your EC2 instance run attach-volume command (OSX/Linux/UNIX). The next example command describes attaching an EBS volume with the ID vol-dd313803 to an EC2 instance with the ID i-67988ffd:

aws ec2 attach-volume
	--volume-id vol-dd313803
	--instance-id i-67988ffd
	--device /dev/sdf

08 The command output should return the encrypted EBS volume state (attaching in this case) :

{
    "AttachTime": "2016-04-04T19:11:30.670Z",
    "InstanceId": "i-67988ffd",
    "VolumeId": "vol-dd313803",
    "State": "attaching",
    "Device": "/dev/sdf"
}

References

Publication date Apr 5, 2016