Best practice rules for Amazon Elastic Block Store (EBS)
Elastic Block Storage (EBS) volumes are block-level, durable storage devices that attach to your EC2 Instances. EBS Volumes can be used as your primary storage device for an EC2 instance or database, or for throughput-intensive systems requiring constant disk scans. EBS volumes exist independently from your EC2 instances and can be retained after the associated EC2 instance has been deleted. AWS provides various types of EBS volumes allowing you to tailor the right volume to meet your budget and application performance requirements.
Trend Micro Cloud One™ – Conformity monitors Amazon Elastic Block Store (EBS) with the following rules:
- Amazon EBS Public Snapshots
Ensure that your Amazon EBS volume snapshots are not accessible to all AWS accounts.
- App-Tier EBS Encrypted
Ensure all AWS EBS volumes for app tier are encrypted.
- EBS Encrypted
Ensure that existing Elastic Block Store (EBS) attached volumes are encrypted to meet security and compliance requirements.
- EBS Encrypted With KMS Customer Master Keys
Ensure EBS volumes are encrypted with KMS CMKs in order to have full control over data encryption and decryption.
- EBS General Purpose SSD
Ensure EC2 instances are using General Purpose SSD (gp2) EBS volumes instead of Provisioned IOPS SSD (io1) volumes to optimize AWS EBS costs.
- EBS Snapshot Encrypted
Ensure Amazon EBS snapshots are encrypted to meet security and compliance requirements.
- EBS Volume Naming Conventions
Ensure EBS volumes are using proper naming conventions to follow AWS tagging best practices.
- EBS Volumes Attached To Stopped EC2 Instances
Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes).
- EBS Volumes Recent Snapshots
Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery.
- EBS Volumes Too Old Snapshots
Identify and remove old AWS Elastic Block Store (EBS) volume snapshots for cost optimization.
- Enable Encryption by Default for EBS Volumes
Ensure that your new Amazon EBS volumes are always encrypted in the specified AWS region.
- Idle EBS Volume
Identify idle AWS EBS volumes and delete them in order to optimize your AWS costs.
- Unused EBS Volumes
Identify and remove any unattached Elastic Block Store volumes to improve cost optimization and security.
- Web-Tier EBS Encrypted
Ensure all AWS EBS volumes for web tier are encrypted.