[EC2.3]
Attached EBS volumes should be encrypted at rest
Description
All EBS volumes attached to an EC2 instance must be encrypted. For this control to apply, EBS volumes must be in use. Encrypting EBS volumes provides an added layer of security. To make this rule COMPLIANT, you must enable encryption for attached EBS volumes.
Details
| Property | Value |
|---|---|
| Category | Protect > Data protection > Encryption of data at rest |
| Compliance Control ID | EC2.3 |
| FortifyFox ID | FF100068 |
| Link | EC2.3 Compliance |
| Resource Type(s) | AWS::EC2::Instance, AWS::EC2::Volume, AWS::EC2::VolumeAttachment |
| Severity | Medium |
Remediation
This rule only applies to EBS volumes that are in the attached state. There are 2 ways of attaching a volume to an EC2 instance, by specifying it in the Volumes property of the AWS::EC2::Instance resource or by using the AWS::EC2::VolumeAttachment resource.
YAML Template
Resources:
ec2Instance:
Type: AWS::EC2::Instance
Volumes:
- VolumeId: !Ref ebsVolume
ebsVolume:
Type: AWS::EC2::Volume
Properties:
Encrypted: true
volumeAttachment:
Type: AWS::EC2::VolumeAttachment
Properties:
InstanceId: !Ref ec2Instance
VolumeId: !Ref ebsVolume
JSON Template
{
"Resources": {
"ec2Instance": {
"Type": "AWS::EC2::Instance",
"Volumes": [
{
"VolumeId": {
"Ref": "ebsVolume"
}
}
]
},
"ebsVolume": {
"Type": "AWS::EC2::Volume",
"Properties": {
"Encrypted": true
}
},
"volumeAttachment": {
"Type": "AWS::EC2::VolumeAttachment",
"Properties": {
"InstanceId": {
"Ref": "ec2Instance"
},
"VolumeId": {
"Ref": "ebsVolume"
}
}
}
}
}
📓 NotesUsing
VolumeIdin bothec2InstanceandvolumeAttachmentwill work, but you only require any one of them.