AWSOverview
If you have to or choose to host the database on a virtual machine, encrypting the volumes is highly recommended.
The system determines this based on the VM name.
Remediation guidance
AWS remediation
Console
- Identify unencrypted attached EBS volumes.
- Snapshot each unencrypted volume.
- Copy snapshots with encryption enabled.
- Create encrypted volumes and replace old volumes in maintenance window.
AWS CLI
aws ec2 enable-ebs-encryption-by-default
aws ec2 create-snapshot --volume-id <volume-id> --description "migrate-to-encrypted"
aws ec2 copy-snapshot --source-region <region> --source-snapshot-id <snapshot-id> --encrypted --kms-key-id <kms-key-id>
aws ec2 create-volume --availability-zone <az> --snapshot-id <encrypted-snapshot-id> --encrypted --kms-key-id <kms-key-id>
References
- https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html
- https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Encrypted storage is used for VMs that might host a database
Connectors
AWS
Covered asset types
VM
Expected check: eq []
{vms(where:{diskAttachments_SOME:{disk:{encrypted:false}},OR:[{name_MATCHES:"(?i).*database.*"},{name_MATCHES:"(?i).*db.*"},{name_MATCHES:"(?i).*mariadb.*"},{name_MATCHES:"(?i).*postgres.*"},{name_MATCHES:"(?i).*oracle.*"},{name_MATCHES:"(?i).*sql.*"}]}){...AssetFragment}}
