EBS Snapshot Encrypted

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.

04 Select the volume snapshot that you want to examine.

05 Select Description tab from the dashboard bottom panel and check the Encrypted attribute value to determine whether the selected snapshot is encrypted or not. If the Encrypted attribute value is set to Not Encrypted, the selected AWS EBS volume snapshot is not encrypted, therefore your EBS snapshot data is not protected from unauthorized access.

06 Repeat steps no. 4 and 5 to identify any other unencrypted snapshots available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

01 Run describe-snapshots command (OSX/Linux/UNIX) using custom filtering to list the IDs of all EBS volume snapshots owned by the AWS account identified by the ID 123456789012, available in the selected region (replace the highlighted number, i.e. AWS account ID, with your own ID number):

aws ec2 describe-snapshots
  --region us-east-1
  --owner-ids 123456789012
  --filters Name=status,Values=completed
  --output table
  --query 'Snapshots[*].SnapshotId'

02 The command output should return the EBS volume snapshot IDs requested:

----------------------------
|     DescribeSnapshots    |
+--------------------------+
|  snap-0b82cb946915a7e4f  |
|  snap-0ee33391e721cfe2f  |
|  snap-0a19e59873298d777  |
+--------------------------+

03 Execute again describe-snapshots command (OSX/Linux/UNIX) using the ID of the EBS snapshot returned at the previous step as identifier and query filters to check whether the selected snapshot is encrypted or not:

aws ec2 describe-snapshots
  --region us-east-1
  --snapshot-id snap-0b82cb946915a7e4f
  --query 'Snapshots[*].Encrypted'

04 The command output should return the EBS snapshot encryption status (**true** for encrypted and **false** for unencrypted):

[
	false
]

05 Repeat steps no. 3 and 4 to identify any other unencrypted snapshots created in the current region.

06 Repeat steps no. 1 – 5 to repeat the entire audit process for other AWS regions.

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"EBSVolumeSnapshot": {
			"Type": "AWS::EC2::Snapshot",
			"Properties": {
				"VolumeId": "vol-01234abcd1234abcd"
			}
		},
		"EBSVolumeSnapshotCopy": {
			"Type": "AWS::EC2::Snapshot",
			"Properties": {
				"SnapshotId": {
					"Ref": "EBSVolumeSnapshot"
				},
				"Encrypted": true
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	EBSVolumeSnapshot:
		Type: AWS::EC2::Snapshot
		Properties:
		VolumeId: vol-01234abcd1234abcd
	EBSVolumeSnapshotCopy:
		Type: AWS::EC2::Snapshot
		Properties:
		SnapshotId: !Ref 'EBSVolumeSnapshot'
		Encrypted: true

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_ebs_snapshot" "ebs-volume-snapshot" {
	volume_id = "vol-01234abcd1234abcd"
}

resource "aws_ebs_snapshot_copy" "ebs-volume-snapshot-copy" {
	source_snapshot_id = aws_ebs_snapshot.ebs-volume-snapshot.id
}

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under ELASTIC BLOCK STOREsection, choose Snapshots.

04 Select the unencrypted EBS snapshot that you want to encrypt (see Audit section part I to identify the right resource).

05 Click the Actions dropdown button from the dashboard top menu and select Copy.

06 Inside Copy Snapshot dialog box, perform the following actions:

1. From Destination region dropdown list, select the region where you want to write the copy of the snapshot.
2. (Optional) Edit the snapshot copy description available within Description box.
3. Check Encrypt this snapshot checkbox available next to Encryption. Select the Customer Master Key (CMK) that to be used to encrypt the selected EBS snapshot from the Master Key dropdown list. If there are no custom KMS CMKs created within your account, you can use the default master key (i.e. (default) aws/ebs), a predefined key that protects your EBS snapshots when no other key is defined.
4. Click Copy to confirm the action.

07 In the Copy Snapshot confirmation dialog box, click Snapshots (link) to go to the Snapshots page in the specified AWS region or choose Close to return to EC2 dashboard. The process will take a couple of minutes to complete, you should see the encrypted copy being created on the Snapshots page.

08 Now that your EBS volume snapshot is encrypted, you can safely delete the original (unencrypted) snapshot. To remove the required EBS snapshot from your AWS account, perform the following:

1. Select the EBS snapshot that you want to delete.
2. Click the Actions dropdown button from the dashboard top menu and choose Delete.
3. Inside Delete Snapshot dialog box, click Yes, Delete to confirm your action.

09 Repeat steps no. 4 – 8 to encrypt other unencrypted EBS snapshots available in the current region.

10 Change the AWS region from the navigation bar and repeat the entire process for other regions.

01 Run copy-snapshot command (OSX/Linux/UNIX) using the ID of the unencrypted snapshot as identifier (see Audit section part II to identify the right resource) to copy and encrypt the selected point-in-time snapshot to the specified destination:

aws ec2 copy-snapshot
  --region us-east-1
  --source-region us-east-1
  --destination-region us-east-1
  --source-snapshot-id snap-0b82cb946915a7e4f
  --description "This is my encrypted AWS EBS snapshot."
  --encrypted

02 The command output should return the ID of the new EBS (encrypted) snapshot:

{
	"SnapshotId": "snap-0da5af3166d74399f"
}

03 Now that your EBS volume snapshot is encrypted, it is safe to delete the original snapshot. Run delete-snapshot command (OSX/Linux/UNIX) using the ID of the unencrypted snapshot as identifier, to remove the snapshot from your AWS account (the command does not return an output):

aws ec2 delete-snapshot
  --region us-east-1
  --snapshot-id snap-0b82cb946915a7e4f

04 Repeat steps no. 1 – 3 to encrypt other AWS EBS snapshots available in the current region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.