Ensure that all Amazon Elastic Block Store (EBS) volumes attached to EC2 instances provisioned within the app tier are encrypted, in order to meet security and compliance requirements. When an encrypted AWS EBS volume is attached to a app-tier EC2 instance, the data stored at rest on the volume, disk I/O and all the snapshots taken from the volume is encrypted. The encryption/decryption process is handled transparently and does not require any additional action from you, your instance, or your application. The encryption keys used to encrypt your app-tier data are entirely managed and protected by Amazon Key Management Service (KMS). This conformity rule assumes that all the AWS resources available within your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be identified and configured within the rule settings, on the Cloud Conformity dashboard.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
With encryption enabled, your app-tier EBS volumes can safely store sensitive data and ensure confidentiality. Cloud Conformity strongly recommends that all Amazon EBS volumes provisioned for the app tier should be encrypted in order to protect sensitive data from attackers or unauthorized users.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
To determine if all your app-tier EBS volumes are encrypted, perform the following actions:
Remediation / Resolution
To enable data encryption for the AWS EBS volumes provisioned within your app tier, you need to re-create them with the right encryption configuration. To encrypt the necessary app-tier EBS resources, perform the following actions:
- AWS Documentation
- Amazon EBS Volumes
- Amazon EBS Encryption
- Creating an Amazon EBS Volume
- Restoring an Amazon EBS Volume from a Snapshot
- Detaching an Amazon EBS Volume from an Instance
- Attaching an Amazon EBS Volume to an Instance
- CIS Amazon Web Services Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
App-Tier EBS Encrypted
Risk level: High