Encrypt EBS Volumes

Risk level: High

Rule ID: EBS-001

When dealing with production data that is crucial to your business, it is highly recommended to implement encryption in order to protect it from attackers or unauthorised personnel. With Elastic Block Store encryption enabled, the data stored on the volume, the disk I/O and the snapshots created from the volume are all encrypted. The EBS encryption keys use AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure, through AWS Key Management Service (AWS KMS).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

When dealing with production data that is crucial to your business, it is highly recommended to implement encryption in order to protect it from attackers or unauthorised personnel. With Elastic Block Store encryption enabled, the data stored on the volume, the disk I/O and the snapshots created from the volume are all encrypted. The EBS encryption keys use AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure, through AWS Key Management Service (AWS KMS).

Audit

Case 1: Determine if your EBS volumes are encrypted.

 

Using AWS Console

1. Login to the AWS Management Console.

2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/

3. In the navigation panel, under Elastic Block Store, click Volumes.

4. Select your EBS volume that you want to examine.

5. Select the Description tab from the bottom panel.

6. Search for the Encrypted section.



7. If the volume encryption status is Not Encrypted, the EBS volume is not encrypted. To turn the feature on, the volume must be re-created with the encryption flag enabled.

Using AWS CLI

1. Run describe-volumes command (OSX/Linux/UNIX) to determine if your EBS volume is encrypted. The next example command describes volume-id vol-001ad867372f9610c:

aws ec2 describe-volumes --volume-ids vol-001ad867372f9610c

2. The command output should reveal the instance EBS volume encryption status (true for enabled, false for disabled):

{
    "Volumes": [
        {
            "Attachments": [],
            "AvailabilityZone": "us-east-1b",
            "CreateTime": "2021-02-22T19:59:16.321000+00:00",
            **"Encrypted": false,**
            "Size": 250,
            "SnapshotId": "",
            "State": "available",
            "VolumeId": "vol-001ad867372f9610c",
            "Iops": 750,
            "VolumeType": "gp2",
            "MultiAttachEnabled": false
        }
    ]
}

3. If you wish to inspect all volumes attached to an EC2 instance, you can run the following command with InstanceId.

aws ec2 describe-volumes \\
--filters Name=attachment.instance-id, Values= i-67988ffd

4. The command output should reveal the instance EBS volume encryption status (true for enabled, false for disabled):

{
    "Volumes": [
        {
            "AvailabilityZone": "us-east-1a",
            "Attachments": [
                {
                    "AttachTime": "2016-04-04T16:51:00.000Z",
                    "InstanceId": "i-67988ffd",
                    "VolumeId": "vol-f0e0ee2e",
                    "State": "attached",
                    "DeleteOnTermination": true,
                    "Device": "/dev/xvda"
                }
            ],
            **"Encrypted": false,**
            "VolumeType": "gp2",
            "VolumeId": "vol-f0e0ee2e",
            "State": "in-use",
            "Iops": 90,
            "SnapshotId": "snap-12c47a84",
            "CreateTime": "2016-04-04T16:51:00.136Z",
            "Size": 30
        }
    ]
}

Audit

Case 2: Determine if your EBS snapshots are encrypted

 

Using AWS Console

1. Login to the AWS Management Console.

2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

3. In the navigation panel, under Elastic Block Store, click Snapshots.

4. Select your EBS snapshot.

5. Select the Description tab from the bottom panel.

6. Search for the Encrypted section.



7. If the encryption status is Not Encrypted, the selected EBS Snapshot is not encrypted.

Using AWS CLI

1. Run describe-snapshot command (OSX/Linux/UNIX) to determine if a certain EBS volume snapshot is encrypted. The next example command describes an EBS snapshot with the ID snap-0023eaa68dbbdb32e:

aws ec2 describe-snapshots \\
--snapshot-ids snap-0023eaa68dbbdb32e

2. The command output should return the EBS snapshot encryption status (true for enabled, false for disabled):

{
    "Snapshots": [
        {
            "Description": "Created by CreateImage(i-019cf0d593ae5a482) for ami-04e388cc248e68001",
            **"Encrypted": false,**
            "OwnerId": "695292474035",
            "Progress": "100%",
            "SnapshotId": "snap-0023eaa68dbbdb32e",
            "StartTime": "2021-04-05T15:28:03.116000+00:00",
            "State": "completed",
            "VolumeId": "vol-0762a826e69597e66",
            "VolumeSize": 30,
            "Tags": []
        }
    ]
}

Remediation / Resolution

To enable encryption on your existing EBS volumes and snapshots, you need to re-create them and turn the encryption feature on.

This can be done by performing the following:

 

Using AWS Console

1. Login to the AWS Management Console.

2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

3. In the navigation panel, under Elastic Block Storeclick Volumes.

4. Select your non-encrypted EBS volume.

5. Click the Actions dropdown button from the EBS dashboard top menu and select Create Snapshot



6. In the Create Snapshot dialog box, provide a name and a description for the snapshot (optional) and click Create



7. In the navigation panel, under Elastic Block Store, click Snapshots.

8. Select your newly created EBS snapshot and wait until the status becomes Completed.



9. Click the Actions dropdown button from the EBS snapshot dashboard top menu and select Copy.



10. In the Copy Snapshot dialog box, select Encrypt this snapshot checkbox , select Master Key from the drop down (you can leave this setting to choose AWS Managed Default EBS KMS Key) and then click Copy:



11. Wait for the newly copied snapshot to be Completed.





12. Select the new (copied) EBS snapshot.

13. Click the Actions dropdown button from the EBS dashboard top menu and click on Create Volume.



14. In the Create Volume dialog box, make sure the volume Encryption status is Encrypt this volume and click Create Volume



15. Go back to the navigation panel and click Volumes.

16. Wait until the newly created Volume status becomes available.



17. Select the Volume that is not-encrypted, then click the Actions dropdown button from the EBS dashboard top menu and select Detach Volume and then click on Detach Volume



18. Select the newly encrypted EBS volume and Click the Actions dropdown button from the EBS dashboard top menu and select Attach Volume.

19. In the Attach Volume dialog box enter your EC2 instance ID and the device name for attachment and click on Attach.


Using AWS CLI

1. Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from your non-encrypted volume. The next example command creates an EBS snapshot the ID vol-f0e0ee2e

aws ec2 create-snapshot --volume-id **vol-001ad867372f9610c**

2. The command output should provide details the newly created . Check state is pending and Progress is blank. Make a note of the SnapshotId as you will need it in the next step.

{
    "Description": "",
    "Encrypted": false,
    "OwnerId": "695292474035",
    **"Progress": "",**
    "SnapshotId": "snap-054da3490e6fb263b",
    "StartTime": "2021-07-31T22:11:08.236000+00:00",
    **"State": "pending",**
    "VolumeId": "vol-001ad867372f9610c",
    "VolumeSize": 250,
    "Tags": []
}

3. Run describe-snapshots with snapshotId copied in Step 2 to determine the current status of snapshot.

aws ec2 describe-snapshots --snapshot-ids snap-054da3490e6fb263b

Repeat this command until the status is completed and Progress is 100%.

{
    "Snapshots": [
        {
            "Description": "",
            "Encrypted": false,
            "OwnerId": "695292474035",
            **"Progress": "100%",**
            "SnapshotId": "snap-054da3490e6fb263b",
            "StartTime": "2021-07-31T22:11:08.236000+00:00",
            **"State": "completed",**
            "VolumeId": "vol-001ad867372f9610c",
            "VolumeSize": 250
        }
    ]
}

4. Run copy-snapshot command (OSX/Linux/UNIX) to create an encrypted copy of the existent EBS snapshot using its ID in order to specify the data source.

aws ec2 copy-snapshot \\
--region us-east-1 \\
--source-region us-east-1 \\
**--encrypted \\**
--source-snapshot-id snap-054da3490e6fb263b

The command output should return the new encrypted EBS snapshot ID (snapshot copy):

{
    "SnapshotId": "snap-0760ff3acda46f1d4"
}

5. Run create-volume command (OSX/Linux/UNIX) to create a new EBS volume from the encrypted snapshot. The next example command describes creating an EBS volume from a source snapshot with the ID snap-0760ff3acda46f1d4

aws ec2 create-volume \\
--region us-east-1 \\
--availability-zone us-east-1a \\
--snapshot-id **snap-0760ff3acda46f1d4 \\**
--volume-type gp2 \\
**--encrypted**

6. The command output should reveal the new encrypted EBS volume ID.

{
    "AvailabilityZone": "us-east-1a",
    "CreateTime": "2021-07-31T22:18:34+00:00",
    "Encrypted": true,
    "KmsKeyId": "arn:aws:kms:us-east-1::key/3a471f06-7f33-411d-9e0a-64539c7187d7",
    "Size": 250,
    "SnapshotId": "snap-0760ff3acda46f1d4",
    **"State": "creating",**
    **"VolumeId": "vol-0dca46a16c1fcf0f3",**
    "Iops": 750,
    "Tags": [],
    "VolumeType": "gp2",
    "MultiAttachEnabled": false
}

7. Run describe-volumes with the newly created VolumeId until the state becomes available.

aws ec2 describe-volumes --volume-ids vol-0dca46a16c1fcf0f3

**Output:**
{
    "Volumes": [
        {
            "Attachments": [],
            "AvailabilityZone": "us-east-1a",
            "CreateTime": "2021-07-31T22:18:34.103000+00:00",
            "Encrypted": true,
            "KmsKeyId": "arn:aws:kms:us-east-1:695292474035:key/3a471f06-7f33-411d-9e0a-64539c7187d7",
            "Size": 250,
            "SnapshotId": "snap-0760ff3acda46f1d4",
            **"State": "available",**
            "VolumeId": "vol-0dca46a16c1fcf0f3",
            "Iops": 750,
            "VolumeType": "gp2",
            "MultiAttachEnabled": false
        }
    ]
}

8. Run detach-volume command (OSX/Linux/UNIX) to detach the non-encrypted EBS volume. The next example command describes detaching an EBS volume with the ID vol-001ad867372f9610c.

aws ec2 detach-volume --volume-id **vol-001ad867372f9610c**

9. To attach the new encrypted EBS volume to your EC2 instance run attach-volume command (OSX/Linux/UNIX). The next example command describes attaching an EBS volume with the ID vol-0dca46a16c1fcf0f3 to an EC2 instance with the ID i-04096936dff888674.

aws ec2 attach-volume \\
--volume-id **vol-0dca46a16c1fcf0f3 \\**
--instance-id **i-04096936dff888674 \\**
--device /dev/sdf

10. The command output should return the encrypted EBS volume state (attaching in this case).

{
    "AttachTime": "2021-08-01T19:11:30.670Z",
    "InstanceId": "**vol-0dca46a16c1fcf0f3**",
    "VolumeId": "**i-04096936dff888674**",
    "State": "attaching",
    "Device": "/dev/sdf"
}

11. Run describe-volumes command until the State becomes in-use.

aws ec2 describe-volumes \\
--volume-ids vol-001ad867372f9610c \\
--query Volumes[].State

Output:
[
    "in-use"
]

 

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.