Logo of Trend Micro

Web-Tier EBS Encrypted

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: EBS-012

Ensure that all Amazon Elastic Block Store (EBS) volumes attached to web-tier EC2 instances are encrypted in order to meet security and compliance requirements. When an encrypted AWS EBS volume is attached to a web-tier EC2 instance, the data stored at rest on the volume, disk I/O and the snapshots created from the volume is encrypted. The EBS volumes encryption/decryption process is handled transparently and does not require any additional action from you, your EC2 instance, or your application. The encryption keys used to encrypt your web-tier data are entirely managed and protected by Amazon Key Management Service (KMS). This conformity rule assumes that all the AWS resources within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be known and configured within the rule settings, on the Cloud Conformity dashboard.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

With encryption enabled, your web-tier AWS EBS volumes can safely store sensitive data and ensure confidentiality. Cloud Conformity strongly recommends that all EBS volumes provisioned for the web tier should be encrypted in order to protect sensitive data from attackers or unauthorized personnel.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.

Audit

To determine if all your web-tier AWS EBS volumes are encrypted, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Web-Tier EBS Encrypted conformity rule settings and copy the tag set defined for AWS resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under ELASTIC BLOCK STORE, click Volumes.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>) and press Enter. This filtering method will return only the EBS resources tagged for the web tier. If no results are returned, there is no EBS volume tagged within your web tier and the audit process ends here. If the EC2 dashboard lists one or more volumes, continue with the next step.

06 Select the web-tier EBS volume that you want to examine.

07 Select the Description tab from the bottom panel and check the Encrypted configuration attribute value. If Encrypted attribute value is set to Not Encrypted, the selected web-tier EBS volume is not encrypted. Since EBS encryption is an immutable setting that can be turned on only at volume creation, to enable encryption you must re-create the volume (see Remediation/Resolution section).

08 Repeat step no. 6 and 7 to verify other EBS volumes provisioned for your web tier in the selected AWS region.

09 Change the AWS region from the navigation bar and repeat steps no. 5 – 8.

10 Repeat steps no. 1 – 9 to verify the encryption status of the EBS volumes created for other web tiers available within your AWS account.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Web-Tier EBS Encrypted conformity rule settings and copy the tag set defined for AWS resources within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-volumes command (OSX/Linux/UNIX) using the tag name and value copied at the previous step as filter parameters and custom query filters to list all the web-tier EBS volumes that are not encrypted, available in the selected AWS region: 

aws ec2 describe-volumes
	--region us-east-1
	--filters Name=tag:<web_tier_tag>,Values=<web_tier_tag_value>
	--query 'Volumes[*].{VolumeId:VolumeId, Encrypted:Encrypted}'

03 The command request should return one of the following outputs:

  1. If the describe-volumes command output returns an empty array (i.e. []), as shown in the example below, there are no EBS volumes provisioned within your web tier and the audit process ends here: 
    []
  2. If the command output returns an array that contains the ID(s) of the web-tier volume(s) and encryption information about each listed resource, as shown in the example below, check the "Encrypted" configuration attribute value. If the "Encrypted" attribute value for the resource that you want to examine is set to false, the selected web-tier EBS volume is not encrypted: 
    [
    {
        "VolumeId": "vol-aabbccdd12345678",
        "Encrypted": false
    }
]

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to perform the audit process for other regions.

05 Repeat steps no. 1 – 4 to verify the encryption status of the EBS volumes created for other web tiers available within your AWS account.

Remediation / Resolution

To enable data encryption for the AWS EBS volumes provisioned within your web tier, you need to re-create them with the right encryption settings. To encrypt the necessary web-tier EBS resources, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Web-Tier EBS Encrypted conformity rule settings and copy the tag set defined for your web tier resources (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under ELASTIC BLOCK STORE, click Volumes.

05 Select the web-tier EBS volume that you want to encrypt.

06 Click the Actions dropdown button from the dashboard top menu and select Create Snapshot.

07 In the Create Snapshot dialog box, provide a name and a description (optional) for the snapshot, then click Create to create a new EBS volume snapshot. Click Close to return to the EC2 dashboard.

08 In the navigation panel, under ELASTIC BLOCK STORE, click Snapshots.

09 Select your newly created volume snapshot.

10 Click the Actions dropdown button from the dashboard top menu and select Copy.

11 Within Copy Snapshot dialog box, check Encrypt this snapshot checkbox and select an encryption key from the Master Key dropdown list. You can choose an AWS managed-key (i.e. "(default) aws/ebs" – a default master key that protects EBS volumes when no other key is defined) or your own AWS KMS Customer Master Key (CMK). Click Copy to copy the selected volume snapshot. Click Close to return to the dashboard.

12 Select the newly created copy of the EBS volume snapshot.

13 Click the Actions dropdown button from the dashboard top menu and select Create Volume to create a new (encrypted) EBS volume from the snapshot copy.

14 Inside the Create Volume dialog box, perform the following:

  1. Review the new volume details without changing any configuration settings.
  2. Within Tags section, check Add tags to your volume checkbox to create tags that will help organize the identity of the EBS volume. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier resources, copied at step no. 1.
  3. Click Create Volume to create the necessary EBS volume, then click Close to return to the EC2 dashboard.

15 Go back to the left navigation panel and click Volumes.

16 Select the source (unencrypted) EBS volume.

17 Click the Actions dropdown button from the dashboard top menu and select Detach Volume.

18 In the Detach Volume dialog box click Yes, Detach.

19 Select the newly created and encrypted web-tier EBS volume.

20 Click the Actions dropdown button from the top menu and select Attach Volume.

21 Within Attach Volume dialog box, perform the following actions:

  1. From the Instance box select the EC2 instance to which the volume will be attached.
  2. In the Device box enter the device name for attachment (must match the attachment information of the source EBS volume detached earlier).
  3. Click Attach to attach the encrypted web-tier EBS volume to the necessary EC2 instance.

22 Repeat steps no. 5 – 21 to enable encryption for other EBS volumes provisioned for your web tier in the selected AWS region.

23 Repeat steps no. 1 – 22 to enable EBS volume encryption for other web tiers available within your AWS account.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Web-Tier EBS Encrypted conformity rule settings and copy the tags defined for your web tier resources (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run create-snapshot command (OSX/Linux/UNIX) to create a volume snapshot from your unencrypted web-tier AWS EBS volume: 

aws ec2 create-snapshot
	--region us-east-1
	--volume-id vol-aabbccdd12345678
	--description "Web-tier AWS EBS volume snapshot"

03 The command output should return the metadata for the new volume snapshot: 

{
    "Description": "Web-tier AWS EBS volume snapshot",
    "Tags": [],
    "Encrypted": false,
    "VolumeId": "vol-aabbccdd12345678",
    "State": "pending",
    "VolumeSize": 30,
    "StartTime": "2018-03-02T17:09:45.000Z",
    "Progress": "",
    "OwnerId": "123456789012",
    "SnapshotId": "snap-aaaabbbbcccc1234"
}

04 Run copy-snapshot command (OSX/Linux/UNIX) to create a copy of the newly created volume snapshot and enable encryption for this snapshot using the --encrypted parameter. The default KMS CMK for EBS volumes is used (i.e. "(default) aws/ebs") unless a non-default AWS KMS CMK is specified with the --kms-key-id parameter, as shown in the command example below: 

aws ec2 copy-snapshot
	--region us-east-1
	--source-region us-east-1
	--source-snapshot-id snap-aaaabbbbcccc1234
	--encrypted
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-123456789012

05 The command output should return the ID of the snapshot copy: 

{
    "SnapshotId": "snap-aaaabbbbccccdddd"
}

06 Run create-volume command (OSX/Linux/UNIX) to create a new AWS EBS volume from the encrypted snapshot copy provisioned at the previous step. EBS volumes that are created from encrypted snapshots are automatically encrypted: 

aws ec2 create-volume
	--region us-east-1
	--availability-zone us-east-1a
	--snapshot-id snap-aaaabbbbccccdddd
	--volume-type gp2

07 The command output should return the metadata for the encrypted web-tier EBS volume: 

{
    "AvailabilityZone": "us-east-1a",
    "Encrypted": true,
    "VolumeType": "gp2",
    "VolumeId": "vol-aaaabbbb12345678",
    "State": "creating",
    "Iops": 100,
    "SnapshotId": "snap-aaaabbbbccccdddd",
    "CreateTime": "2018-03-02T17:27:28.997Z",
    "Size": 30
}

08 Run create-tags command (OSX/Linux/UNIX) using the ID of the newly created AWS EBS volume as identifier to create tags for managing the identity of the new resource (i.e. web-tier EBS volume). Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier resources, copied at step no. 1. Replace <web_tier_tag> and <web_tier_tag_value> (highlighted) with your own values (the command does not produce an output): 

aws ec2 create-tags
	--region us-east-1
	--resources vol-aaaabbbb12345678
	--tags Key=<web_tier_tag>,Value=<web_tier_tag_value>

09 Run detach-volume command (OSX/Linux/UNIX) to detach the source (unencrypted) AWS EBS volume: 

aws ec2 detach-volume
	--region us-east-1
	--volume-id vol-aabbccdd12345678

10 The command output should return the request metadata: 

{
    "AttachTime": "2018-03-02T18:15:11.000Z",
    "InstanceId": "i-abcdabcdc12341234",
    "VolumeId": "vol-aabbccdd12345678",
    "State": "detaching",
    "Device": "/dev/sdf"
}

11 To attach the new (encrypted) web-tier EBS volume to the necessary EC2 instance run attach-volume command (OSX/Linux/UNIX): 

aws ec2 attach-volume
	--region us-east-1
	--volume-id vol-aaaabbbb12345678
	--instance-id i-abcdabcdc12341234
	--device /dev/sdf

12 The command output should return the command request metadata: 

{
    "AttachTime": "2018-03-02T18:19:49.657Z",
    "InstanceId": "i-abcdabcdc12341234",
    "VolumeId": "vol-aaaabbbb12345678",
    "State": "attaching",
    "Device": "/dev/sdf"
}

13 Repeat steps no. 2 – 12 to enable encryption for other EBS volumes provisioned for your web tier in the selected AWS region.

14 Repeat steps no. 1 – 13 to enable EBS volume encryption for other web tiers available within your AWS account.

References

Publication date Apr 5, 2016

Related EBS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Web-Tier EBS Encrypted

Risk level: High