Severity : Medium
Description : Ensures EBS Default Encryption is enabled.
Description: This control ensures that encryption by default configuration for EBS volumes is enabled in account. The ‘encryption by default’ configuration enforce the encryption of the new EBS volumes and snapshot copies. Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.
Remediation Steps:
Perform following to update default encryption for EBS :
Login to the AWS Management Console at https://console.aws.amazon.com.
Select the EC2 Service.
Navigate to EC2 Dashboard.
In the , choose Account Attributes, EBS encryption.
Choose Manage.
Check the Always encrypt new EBS volumes check box.
In the Default encryption key selection, enter a Customer KMS key created in KMS for EBS encryption. Optionally, a default key alias/aws/ebs can also be used.
Click Update EBS encryption.
Important:
Encryption by default has no effect on existing EBS volumes or snapshots.
When encryption by default is enable, instance can launch only if the instance type supports EBS encryption.
Reference :