Ensure all Data Stored in the Launch Configuration EBS is Securely Encrypted
Description
Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling.
Rationale
When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.
Automated Remediation
Runtime Resource
n/a
Buildtime Resource
Terraform
Resource: aws_launch_configuration
Argument: encrypted - (Optional) Whether the volume should be encrypted or not. Do not use this option if you are using snapshot_id as the encrypted flag will be determined by the snapshot. (Default: false).
resource "aws_launch_configuration" "as_conf" {
name_prefix = "terraform-lc-example-"
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
+root_block_device {
+ encrypted = true
+}
}
Manual Remediation
Runtime Resource
Procedure
To change the policy using the AWS Console, follow these steps:
- Login to the AWS Management Console at https://console.aws.amazon.com/.
- Open the EC2 console.
- Navigate to the Auto Scaling section.
- Create a new launch configuration.
- Add an encrypted EBS volume (Add Storage).
CLI Command
aws autoscaling create-launch-configuration --launch-configuration-name my-launch-config --image-id ami-c6169af6 --instance-type m1.medium --encrypted true
Updated about a month ago