EBS volume encryption should be enabled


Enabling encryption on EBS volumes protects data at rest inside the volume, data in transit between the volume and the instance, snapshots created from the volume, and volumes created from those snapshots. EBS volumes are encrypted using KMS keys.

Console Remediation Steps

  • Navigate to EC2.

  • Follow the instructions documented here.

CLI Remediation Steps

  • Get a list of an instance’s volumes to see which are encrypted and unencrypted. Note the volume id and mount device for each unencrypted volume:

    • aws ec2 describe-volumes --filters Name=attachment.instance-id, Values=<instance_id>

  • Create a snapshot of an unencrypted EBS volume and track the snapshot id that is returned:

    • aws ec2 create-snapshot --volume-id <unencrypted_volume_id>

  • Make an encrypted copy of the snapshot you just created and get the new snapshot id:

    • aws ec2 copy-snapshot --region <destination_region> --source-region <region> --encrypted --source-snapshot-id <snapshot_id>

  • Create a new EBS volume from the encrypted snapshot and get the new volume id:

    • aws ec2 create-volume --region <region> --availability-zone <availability_zone> --snapshot-id <snapshot_id> --volume-type gp2 --encrypted

  • Stop the instance with the unencrypted EBS volume:

    • aws ec2 stop-instance --instance-id <instance_id>

  • Detatch the non-encrypted EBS volume:

    • aws ec2 detach-volume --volume-id <unencrypted_volume_id>

  • Attach tne new encrypted EBS volume to the EC2 instance:

    • aws ec2 attach-volume --volume-id <encrypted_volume_id> --instance-id <instance_id> --device <device>

  • Restart the instance:

    • aws ec2 start-instance --instance-id <instance_id>