Ensure AWS EBS volumes are encrypted

Error: AWS EBS volumes are not encrypted

Bridgecrew Policy ID: BC_AWS_GENERAL_3
Checkov Check ID: CKV_AWS_3
Severity: HIGH

AWS EBS volumes are not encrypted

Description

Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed. AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots. Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
We recommend you encrypt all data stored in the EBS.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. From the navigation bar, select Region.
  4. From the navigation pane, select EC2 Dashboard.
  5. In the upper-right corner of the page, select Account Attributes, then Settings.
  6. Under EBS Storage, select Always encrypt new EBS volumes.
  7. Click Update.

CLI Command

To always encrypt new EBS volumes, use the following command:

aws ec2 --region <REGION> enable-ebs-encryption-by-default

Fix - Buildtime

Terraform

  • Resource: aws_ebs_volume
  • Argument: encrypted - (Optional) If true, the disk will be encrypted.
resource "aws_ebs_volume" "example" {
  ...
  availability_zone = "${var.availability_zone}"
+ encrypted         = true
  ...
}

CloudFormation

  • Resource: AWS::EC2::Volume
  • Argument: Properties.Encrypted - (Optional) If true, the disk will be encrypted.
Resources: 
  NewVolume:
    Type: AWS::EC2::Volume
    Properties: 
      ...
+     Encrypted: true

Did this page help you?