EC2 instances use unencrypted block device

• GG_ID: GG_IAC_0033
• Severity: HIGH
• Complexity: MEDIUM
• Categories: DATA
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: False

Description

Amazon EBS provides durable, block-level storage volumes that you can attach to a running instance. They will typically be used to host the filesystem for an application (except for the boot volume). As such, they will often host configuration files, and sometimes the secrets needed by the application to access external services.

Encrypting your volumes ensures that your application runtime data will not be compromised from raw access to the disks.

Impact

Data leakage of sensitive information.

Remediation guidelines

Since it is not possible to encrypt an existing unencrypted volume, you will have to perform manual steps:

1. Create an unencrypted snapshot of your volume.
2. Create an encrypted copy of the snapshot.
3. Create a new volume from the encrypted snapshot.
4. Swap the old unencrypted volume for the newly encrypted volume in your instance configuration.

External documentation

• AWS EBS encryption
• Encrypting an existing EBS volume