Not all data stored in the EBS snapshot is securely encrypted

Description

EBS snapshots must be encrypted, as they often include sensitive information, customer PII or CPNI. Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots. With EBS encryption enabled, you no longer have to build, maintain, and secure your own key management infrastructure.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. From the navigation bar, select Region.
  4. From the navigation pane, select EC2 Dashboard.
  5. In the upper-right corner of the page, click Account Attributes, then EBS encryption.
  6. click Manage.
  7. For Default encryption key, select a symmetric customer managed CMK.
  8. Click Update EBS encryption.

CLI Command

To enable EBS encryption by default:

aws ec2 enable-ebs-encryption-by-default

Fix - Buildtime

Terraform
  • Resource: aws_ebs_snapshot
  • Argument: encrypted – Whether the snapshot is encrypted.
    Example fix:

go aws_ebs_snapshot resource “aws_ebs_snapshot” “example” { volume_id = “${aws_ebs_volume.example.id}” + encrypted = true … }

ReLambda