With encryption enabled, your EBS volumes can hold very sensitive and critical data. The EBS encryption and decryption is handled transparently and does not require any additional action from you, your server instance, or your application.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When dealing with production data that is crucial to your business, it is highly recommended to implement encryption in order to protect it from attackers or unauthorized personnel. With Elastic Block Store encryption enabled, the data stored on the volume, the disk I/O and the snapshots created from the volume are all encrypted. The EBS encryption keys use AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure, through AWS Key Management Service (AWS KMS).
Case A: to determine if your EBS volumes are encrypted, perform the following:
Case B: to determine if your EBS snapshots are encrypted, perform the following:
Remediation / Resolution
To enable encryption on your existing EBS volumes and snapshots, you need to re-create them and turn the encryption feature on. This can be done by performing the following:
- AWS Documentation
- Amazon Elastic Block Store (Amazon EBS)
- Amazon EBS Encryption
- Copying an Amazon EBS Snapshot
- AWS Command Line Interface (CLI) Documentation
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Risk level: High