EBS Snapshot Encrypted
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that the AWS EBS volume snapshots that hold sensitive and critical data are encrypted to fulfill compliance requirements for data-at-rest encryption. The EBS snapshot data encryption and decryption is handled transparently and does not require any additional actions from your application.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When dealing with production data that is crucial to your business, it is highly recommended to implement data encryption in order to protect it from attackers or unauthorized personnel. The EBS volume snapshot encryption keys are using AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through Amazon Key Management Service (KMS).
To identify any unencrypted EBS volume snapshots available within your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.
04 Select the volume snapshot that you want to examine.
05 Select Description tab from the dashboard bottom panel and check the Encrypted attribute value to determine whether the selected snapshot is encrypted or not. If the Encrypted attribute value is set to Not Encrypted, the selected AWS EBS volume snapshot is not encrypted, therefore your EBS snapshot data is not protected from unauthorized access.
06 Repeat steps no. 4 and 5 to identify any other unencrypted snapshots available in the current region.
07 Change the AWS region from the navigation bar and repeat the audit process for the other regions.
01 Run describe-snapshots command (OSX/Linux/UNIX) using custom filtering to list the IDs of all EBS volume snapshots owned by the AWS account identified by the ID 123456789012, available in the selected region (replace the highlighted number, i.e. AWS account ID, with your own ID number):
aws ec2 describe-snapshots
--region us-east-1
--owner-ids 123456789012
--filters Name=status,Values=completed
--output table
--query 'Snapshots[*].SnapshotId'
02 The command output should return the EBS volume snapshot IDs requested:
---------------------------- | DescribeSnapshots | +--------------------------+ | snap-0b82cb946915a7e4f | | snap-0ee33391e721cfe2f | | snap-0a19e59873298d777 | +--------------------------+
03 Execute again describe-snapshots command (OSX/Linux/UNIX) using the ID of the EBS snapshot returned at the previous step as identifier and query filters to check whether the selected snapshot is encrypted or not:
aws ec2 describe-snapshots --region us-east-1 --snapshot-id snap-0b82cb946915a7e4f --query 'Snapshots[*].Encrypted'
04 The command output should return the EBS snapshot encryption status (true for encrypted and false for unencrypted):
[
false
]
05 Repeat steps no. 3 and 4 to identify any other unencrypted snapshots created in the current region.
06 Repeat steps no. 1 – 5 to repeat the entire audit process for other AWS regions.
To encrypt existing EBS volume snapshots available within your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.
04 Select the unencrypted EBS snapshot that you want to encrypt (see Audit section part I to identify the right resource).
05 Click the Actions dropdown button from the dashboard top menu and select Copy.
06 Inside Copy Snapshot dialog box, perform the following actions:
07 In the Copy Snapshot confirmation dialog box, click Snapshots (link) to go to the Snapshots page in the specified AWS region or choose Close to return to EC2 dashboard. The process will take a couple of minutes to complete, you should see the encrypted copy being created on the Snapshots page.
08 Now that your EBS volume snapshot is encrypted, you can safely delete the original (unencrypted) snapshot. To remove the required EBS snapshot from your AWS account, perform the following:
09 Repeat steps no. 4 – 8 to encrypt other unencrypted EBS snapshots available in the current region.
10 Change the AWS region from the navigation bar and repeat the entire process for other regions.
01 Run copy-snapshot command (OSX/Linux/UNIX) using the ID of the unencrypted snapshot as identifier (see Audit section part II to identify the right resource) to copy and encrypt the selected point-in-time snapshot to the specified destination:
aws ec2 copy-snapshot --region us-east-1 --source-region us-east-1 --destination-region us-east-1 --source-snapshot-id snap-0b82cb946915a7e4f --description "This is my encrypted AWS EBS snapshot." --encrypted
02 The command output should return the ID of the new EBS (encrypted) snapshot:
{
"SnapshotId": "snap-0da5af3166d74399f"
}
03 Now that your EBS volume snapshot is encrypted, it is safe to delete the original snapshot. Run delete-snapshot command (OSX/Linux/UNIX) using the ID of the unencrypted snapshot as identifier, to remove the snapshot from your AWS account (the command does not return an output):
aws ec2 delete-snapshot --region us-east-1 --snapshot-id snap-0b82cb946915a7e4f
04 Repeat steps no. 1 – 3 to encrypt other AWS EBS snapshots available in the current region.
05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat