Ensure that all Amazon Elastic Block Store (EBS) volumes attached to web-tier EC2 instances are encrypted in order to meet security and compliance requirements. When an encrypted AWS EBS volume is attached to a web-tier EC2 instance, the data stored at rest on the volume, disk I/O and the snapshots created from the volume is encrypted. The EBS volumes encryption/decryption process is handled transparently and does not require any additional action from you, your EC2 instance, or your application. The encryption keys used to encrypt your web-tier data are entirely managed and protected by Amazon Key Management Service (KMS). This conformity rule assumes that all the AWS resources within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be known and configured within the rule settings, on the Cloud Conformity dashboard.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
With encryption enabled, your web-tier AWS EBS volumes can safely store sensitive data and ensure confidentiality. Cloud Conformity strongly recommends that all EBS volumes provisioned for the web tier should be encrypted in order to protect sensitive data from attackers or unauthorized personnel.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
Audit
To determine if all your web-tier AWS EBS volumes are encrypted, perform the following actions:
Remediation / Resolution
To enable data encryption for the AWS EBS volumes provisioned within your web tier, you need to re-create them with the right encryption settings. To encrypt the necessary web-tier EBS resources, perform the following actions:
References
- AWS Documentation
- Amazon EBS Volumes
- Amazon EBS Encryption
- Creating an Amazon EBS Volume
- Restoring an Amazon EBS Volume from a Snapshot
- Detaching an Amazon EBS Volume from an Instance
- Attaching an Amazon EBS Volume to an Instance
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-volumes
- create-snapshot
- copy-snapshot
- create-volume
- create-tags
- detach-volume
- attach-volume
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Web-Tier EBS Encrypted
Risk level: High