AWSOverview
Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store(EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.
Default EBS volume encryption only applies to newly created EBS volumes. Existing EBS volumes are not converted automatically.
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
Remediation guidance
From Console
- Open the Amazon EC2 console using EC2
- Under Account attributes, click
EBS encryption. - Click Manage.
- Click the
Enablecheckbox. - Click
Update EBS encryption. - Repeat for every region requiring the change.
From Command Line
Enable default EBS encryption for the affected region:
aws ec2 enable-ebs-encryption-by-default \
--region {{asset.region}}
Verify that encryption by default is now enabled:
aws ec2 get-ebs-encryption-by-default \
--region {{asset.region}}
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
EBS encryption by default is enabled
Connectors
Covered asset types
Expected check: eq []
{ebsSettings(where: { encryptedByDefault: false }) {...AssetFragment}}
