EBS volume encryption should not be disabled

• GG_ID: GG_IAC_0038
• Severity: HIGH
• Complexity: LOW
• Categories: DATA, PERMISSION
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

EBS volumes are block level storage volumes for use with EC2 instances. The data should always be encrypted at rest to protect the data if accesses are compromised.

Impact

Not encrypting data at rest could lead to data leak in case of an attack.

Remediation guidelines

Since it is not possible to encrypt an existing unencrypted volume, you will have to perform manual steps:

1. Create an unencrypted snapshot of your volume.
2. Create an encrypted copy of the snapshot.
3. Create a new volume from the encrypted snapshot.
4. Swap the old unencrypted volume for the newly encrypted volume in your instance configuration.

External documentation

• EBS volume encryption
• Encrypting an existing EBS volume