Skip to main content

EBS volume encryption should not be disabled

  • GG_ID: GG_IAC_0038
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


EBS volumes are block level storage volumes for use with EC2 instances. The data should always be encrypted at rest to protect the data if accesses are compromised.


Not encrypting data at rest could lead to data leak in case of an attack.

Remediation guidelines#

Since it is not possible to encrypt an existing unencrypted volume, you will have to perform manual steps:

  1. Create an unencrypted snapshot of your volume.
  2. Create an encrypted copy of the snapshot.
  3. Create a new volume from the encrypted snapshot.
  4. Swap the old unencrypted volume for the newly encrypted volume in your instance configuration.

External documentation#