EBS volume encryption should be enabled


Enabling encryption on EBS volumes protects data at rest inside the volume, data in transit between the volume and the instance, snapshots created from the volume, and volumes created from those snapshots. EBS volumes are encrypted using KMS keys.

Remediation Steps

AWS Console

To create a new, encrypted EBS volume:

  • Navigate to EC2.

  • Select the Region in which you would like to create your volume.

  • In the navigation pane, select ELASTIC BLOCK STORE, Volumes.

  • Select Create Volume.

  • Select the desired values for Volume Type, Size, IOPS, Throughput, and Availability Zone.

  • To encrypt the volume, select Encrypt this volume, and choose a CMK.

  • Click Create Volume.


  • Get a list of an instance’s volumes to see which are encrypted and unencrypted. Note the volume id and mount device for each unencrypted volume:

    • aws ec2 describe-volumes --filters Name=attachment.instance-id, Values=<instance_id>

  • Create a snapshot of an unencrypted EBS volume and track the snapshot id that is returned:

    • aws ec2 create-snapshot --volume-id <unencrypted_volume_id>

  • Make an encrypted copy of the snapshot you just created and get the new snapshot id:

    • aws ec2 copy-snapshot --region <destination_region> --source-region <region> --encrypted --source-snapshot-id <snapshot_id>

  • Create a new EBS volume from the encrypted snapshot and get the new volume id:

    • aws ec2 create-volume --region <region> --availability-zone <availability_zone> --snapshot-id <snapshot_id> --volume-type gp2 --encrypted

  • Stop the instance with the unencrypted EBS volume:

    • aws ec2 stop-instance --instance-id <instance_id>

  • Detatch the non-encrypted EBS volume:

    • aws ec2 detach-volume --volume-id <unencrypted_volume_id>

  • Attach tne new encrypted EBS volume to the EC2 instance:

    • aws ec2 attach-volume --volume-id <encrypted_volume_id> --instance-id <instance_id> --device <device>

  • Restart the instance:

    • aws ec2 start-instance --instance-id <instance_id>


  • Ensure that the aws_ebs_volume encrypted field is set to “true”.

Example Configuration

resource "aws_ebs_volume" "example" {
  encrypted = true
  # other required fields here