EC2 instances use unencrypted block device
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | MEDIUM | AWS | DATA |
Description
Amazon EBS provides durable, block-level storage volumes that you can attach to a running instance. They will typically be used to host the filesystem for an application (except for the boot volume). As such, they will often host configuration files, and sometimes the secrets needed by the application to access external services.
Encrypting your volumes ensures that your application runtime data will not be compromised from raw access to the disks.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
Data leakage of sensitive information.
Remediation guidelines
Since it is not possible to encrypt an existing unencrypted volume, you will have to perform manual steps:
- Create an unencrypted snapshot of your volume.
- Create an encrypted copy of the snapshot.
- Create a new volume from the encrypted snapshot.
- Swap the old unencrypted volume for the newly encrypted volume in your instance configuration.
Note that it is possible to enable EBS encryption by default If it is already done, consider this as a false positiive.