Best practice rules for Amazon Elastic Block Store (EBS)
Elastic Block Storage (EBS) volumes are block-level, durable storage devices that attach to your EC2 Instances. EBS Volumes can be used as your primary storage device for an EC2 instance or database, or for throughput-intensive systems requiring constant disk scans. EBS volumes exist independently from your EC2 instances and can be retained after the associated EC2 instance has been deleted. AWS provides various types of EBS volumes allowing you to tailor the right volume to meet your budget and application performance requirements.
Trend Micro Cloud One™ – Conformity monitors Amazon Elastic Block Store (EBS) with the following rules:
- Amazon EBS Public Snapshots
Ensure that your Amazon EBS volume snapshots are not accessible to all AWS accounts.
- App-Tier EBS Encrypted
Ensure app-tier Amazon Elastic Block Store (EBS) volumes are encrypted.
- EBS Encrypted
Ensure EBS volumes are encrypted to meet security and encryption compliance requirements. Encryption is a key mechanism for you to ensure that you are in full control over who has access to your data.
- EBS Encrypted With KMS Customer Master Keys
Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data.
- EBS General Purpose SSD
Ensure EC2 instances are using General Purpose SSD (gp2) EBS volumes instead of Provisioned IOPS SSD (io1) volumes to optimize AWS EBS costs.
- EBS Snapshot Encrypted
Ensure Amazon EBS snapshots are encrypted to meet security and compliance requirements.
- EBS Volume Naming Conventions
Ensure EBS volumes are using proper naming conventions to follow AWS tagging best practices.
- EBS Volumes Attached To Stopped EC2 Instances
Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes).
- EBS Volumes Recent Snapshots
Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery.
- EBS Volumes Too Old Snapshots
Identify and remove old AWS Elastic Block Store (EBS) volume snapshots for cost optimization.
- Enable Encryption by Default for EBS Volumes
Ensure that your new Amazon EBS volumes are always encrypted in the specified AWS region.
- Idle EBS Volume
Identify idle AWS EBS volumes and delete them in order to optimize your AWS costs.
- Unused EBS Volumes
Identify and remove any unused Elastic Block Store volumes to improve cost optimization and security.
- Use Customer Master Keys for EBS Default Encryption
Ensure that your new EBS volumes are always encrypted with KMS Customer Master Keys.
- Web-Tier EBS Encrypted
Ensure web-tier Amazon Elastic Block Store (EBS) volumes are encrypted.