Ensure EBS default encryption is enabled

Error: EBS default encryption is disabled

Bridgecrew Policy ID: BC_AWS_GENERAL_81
Checkov Check ID: CKV_AWS_106
Severity: MEDIUM

EBS default encryption is disabled

Description

This policy identifies AWS regions in which new EBS volumes are getting created without any encryption. Encrypting data at rest reduces unintentional exposure of data stored in EBS volumes. It is recommended to configure EBS volume at the regional level so that every new EBS volume created in that region will be enabled with encryption by using a provided encryption key.

Fix - Runtime

AWS Console

To enable encryption at region level by default, follow below URL:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default

Additional Information:
To detect existing EBS volumes that are not encrypted ; refer Saved Search:
AWS EBS volumes are not encrypted_RL
To detect existing EBS volumes that are not encrypted with CMK, refer Saved Search:
AWS EBS volume not encrypted using Customer Managed Key_RL

Fix - Buildtime

Terraform

  • Resource: aws_ebs_encryption_by_default
  • Argument: enabled
resource "aws_ebs_encryption_by_default" "enabled" {
+ enabled = true
}