Ensure that all Amazon Elastic Block Store (EBS) volumes attached to web-tier EC2 instances are encrypted in order to meet security and compliance requirements. When an encrypted AWS EBS volume is attached to a web-tier EC2 instance, the data stored at rest on the volume, disk I/O and the snapshots created from the volume is encrypted. The EBS volumes encryption/decryption process is handled transparently and does not require any additional action from you, your EC2 instance, or your application. The encryption keys used to encrypt your web-tier data are entirely managed and protected by Amazon Key Management Service (KMS). This conformity rule assumes that all the AWS resources within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be known and configured within the rule settings, on the Cloud Conformity dashboard.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
With encryption enabled, your web-tier AWS EBS volumes can safely store sensitive data and ensure confidentiality. Cloud Conformity strongly recommends that all EBS volumes provisioned for the web tier should be encrypted in order to protect sensitive data from attackers or unauthorized personnel.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
Audit
To determine if all your web-tier AWS EBS volumes are encrypted, perform the following actions:
Remediation / Resolution
To enable data encryption for the AWS EBS volumes provisioned within your web tier, you need to re-create them with the right encryption settings. To encrypt the necessary web-tier EBS resources, perform the following actions:
References
- AWS Documentation
- Amazon EBS Volumes
- Amazon EBS Encryption
- Creating an Amazon EBS Volume
- Restoring an Amazon EBS Volume from a Snapshot
- Detaching an Amazon EBS Volume from an Instance
- Attaching an Amazon EBS Volume to an Instance
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-volumes
- create-snapshot
- copy-snapshot
- create-volume
- create-tags
- detach-volume
- attach-volume
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Web-Tier EBS Encrypted
Risk level: High