EBS volume encryption should not be disabled
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | AWS | DATA, PERMISSION |
Description
EBS volumes are block level storage volumes for use with EC2 instances. The data should always be encrypted at rest to protect the data if accesses are compromised.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | True |
Not encrypting data at rest could lead to data leak in case of an attack.
Remediation guidelines
Since it is not possible to encrypt an existing unencrypted volume, you will have to perform manual steps:
- Create an unencrypted snapshot of your volume.
- Create an encrypted copy of the snapshot.
- Create a new volume from the encrypted snapshot.
- Swap the old unencrypted volume for the newly encrypted volume in your instance configuration.