EBS Default Encryption Disabled

Overview

Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While each EBS volume's encryption can be configured individually, there is also a per-region setting to always encrypt new EBS volumes. This setting is disabled by default, but it is recommended that it be enabled.

Rationale:

Encrypted volumes create encrypted snapshots, which prevents public sharing of snapshots without also sharing the encryption key. Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken. Encrypted EBS volumes provide encryption for data not only at rest, but also in transit between AWS components.

Impact: Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.

Vendor

AWS

Cloud Service

EC2

CIS AWS v1.5.0 2.2.1, CSMM v1 DAT-02.2, EC2.7

References

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html, https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_EnableEbsEncryptionByDefault.html, https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_encryption_by_default, https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html

Severity

Item Types

Custom::AWS::Region

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​