Ensure that all Amazon Elastic Block Store (EBS) volumes attached to web-tier EC2 instances are encrypted in order to meet security and compliance requirements. When an encrypted AWS EBS volume is attached to a web-tier EC2 instance, the data stored at rest on the volume, disk I/O and the snapshots created from the volume is encrypted. The EBS volumes encryption/decryption process is handled transparently and does not require any additional action from you, your EC2 instance, or your application. The encryption keys used to encrypt your web-tier data are entirely managed and protected by Amazon Key Management Service (KMS). This conformity rule assumes that all the AWS resources within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be known and configured within the rule settings, on the Cloud Conformity dashboard.
With encryption enabled, your web-tier AWS EBS volumes can safely store sensitive data and ensure confidentiality. Cloud Conformity strongly recommends that all EBS volumes provisioned for the web tier should be encrypted in order to protect sensitive data from attackers or unauthorized personnel. Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if all your web-tier AWS EBS volumes are encrypted, perform the following actions:
To enable data encryption for the AWS EBS volumes provisioned within your web tier, you need to re-create them with the right encryption settings. To encrypt the necessary web-tier EBS resources, perform the following actions: