Drata validates that default encryption for elastic block store (EBS) volume creation is enabled for every region where EC2 instances are detected. Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic BlockStore (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can
nullify the impact of disclosure if the encryption remains unbroken.
ASSOCIATED DRATA CONTROL
This test is part of the Encryption at Rest control (DCF-54) that ensures data at rest is encrypted using strong cryptographic algorithms.
WHAT TO DO IF A TEST FAILS
If Drata finds that the default encryption for EBS volumes at creation is not enabled in one or more regions where EC2 instances was detected, the test will fail.
STEPS TO REMEDIATE
From the Amazon EC2 console, under 'Account attributes', click EBS encryption, then 'Manage', and then the 'Enable' checkbox.
Click 'Update EBS encryption' and repeat for each failing region (EBS volume encryption is configured per region).
Note: Losing access or removing the KMS key in use by the EBS volumes will result in no longer being able to access the volumes.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.