AWS EC2 EBS Volume Not Encrypted with Customer Master Key (CMK)
Description:
AWS Elastic Block Store (EBS) allows you to create persistent block storage volumes for use with EC2 instances. Encryption at rest using the AWS Key Management Service (KMS) is available for EBS volumes to provide an additional layer of data protection. If an EBS volume is not encrypted with a Customer Master Key (CMK), the data on the volume might be more vulnerable to unauthorized access or exposure.
Remediation:
1. Encrypt EBS Volume with a Customer Master Key:
Note: Direct encryption of an already provisioned EBS volume requires creating a snapshot, copying that snapshot with encryption enabled, and then creating a new volume from that encrypted snapshot.
AWS Management Console:
- Navigate to the EC2 Dashboard.
- Go to Elastic Block Store > Volumes.
- Select the unencrypted volume, create a snapshot.
- Once the snapshot is created, select the snapshot and click on Actions > Copy.
- In the copy snapshot dialog, check the Encryption box and select your desired CMK from the list.
- Once the encrypted snapshot is available, create a new volume from this snapshot.
AWS CLI:
To copy an unencrypted snapshot and encrypt it using a specific CMK:
aws ec2 copy-snapshot --source-region [SOURCE_REGION] --source-snapshot-id [SNAPSHOT_ID] --encrypted --kms-key-id [KMS_KEY_ID]
Then, create a new volume from the encrypted snapshot:
aws ec2 create-volume --availability-zone [AVAILABILITY_ZONE] --snapshot-id [ENCRYPTED_SNAPSHOT_ID] --volume-type [VOLUME_TYPE]
Terraform:
To ensure that an EBS volume is encrypted using a specific CMK in Terraform:
resource "aws_kms_key" "ebs_encryption_key" {
description = "Key for EBS Encryption"
// ... other configurations ...
}
resource "aws_ebs_volume" "example" {
availability_zone = "us-west-1a"
size = 40
snapshot_id = "[SNAPSHOT_ID]" // If creating from a snapshot
encrypted = true
kms_key_id = aws_kms_key.ebs_encryption_key.arn
// ... other configurations ...
}
Recommendation:
Always ensure that sensitive data on EBS volumes is encrypted at rest using a Customer Master Key for added security and compliance. Regularly review the encryption status of EBS volumes and update as necessary. Leveraging CMKs allows you to have granular control over access to the encryption key and audit key usage.
Updated about 1 year ago