Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Ec2 >

Enable At Rest Encryption

HIGH
Source
Trivy
ID
AVD-AWS-0131
cloudformation management_console terraform

Instance with unencrypted block device.

Block devices should be encrypted to ensure sensitive data is held securely at rest.

Impact

The block device could be compromised and read from

Follow the appropriate remediation steps below to resolve the issue.

Turn on encryption for all block devices

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

Resources:
  GoodExample:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: "ami-79fd7eee"
      KeyName: "testkey"
      UserData: export SSM_PATH=/database/creds
      BlockDeviceMappings:
        - DeviceName: "/dev/sdm"
          Ebs:
            Encrypted: True
            VolumeType: "io1"
            Iops: "200"
            DeleteOnTermination: "false"
            VolumeSize: "20"
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for EC2.
  3. Scroll down the left navigation panel and choose “Volumes”.
  4. Select the “Volume” that needs to be verified and click on its name from the “Name” column.
  5. Scroll down the page and under “Description” check for “Encrypted”. If the “Encrypted” option is showing “Not Encrypted” then the selected the “EBS Volume” is not encrypted.
  6. Repeat the steps number 2 - 5 to check other “EBS Snapshot” in the AWS region.
  7. Select the unencrypted “EBS Volume” that needs to be encrypted and click on the “Actions” button at the top panel and click on the “Create Snapshot” option.
  8. Provide the description of the new snapshot in the “Create Snapshot” dialog box and click on the “Create Snapshot” button.
  9. Scroll down the left navigation panel and choose “Snapshots”.
  10. Select the new “EBS Snapshot” created and click on the “Actions” button at the top panel and click on the “Copy” option.
  11. In the “Copy Snapshot” dialog box select the box “Encrypt this snapshot” next to “Encryption” and choose the “Master key” from the dropdown menu.
  12. Click on the “Copy” button to copy the selected “EBS Snapshot”.
  13. Select the new EBS snapshot and click on the “Actions” button at the top panel and click on the “Create Volume” option.
  14. In the “Create Volume” dialog box verify the “Encryption” option is enabled.
  15. Click on the “Create Volume” button to create the new “EBS Encrypted Volume”.
  16. Scroll down the left navigation panel and click on the “Volumes”.
  17. Select the volume that is not encrypted and click on the “Action” button at the top and click on the “Detach Volume”.
  18. In the “Detach Volume” dialog box click on the “Yes,Detach” button.
  19. Select the newly encrypted EBS volume and click on the “Action” button at the top and click on the “Attach Volume”.
  20. In the “Attach Volume” dialog box select the EC2 instance and device name for the attachment.
  21. Repeat steps number 7 - 20 to ensure “EBS Volume” encryption is enabled.

Turn on encryption for all block devices

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

resource "aws_instance" "good_example" {
  ami = "ami-7f89a64f"
  instance_type = "t1.micro"

  root_block_device {
      encrypted = true
  }

  ebs_block_device {
    device_name = "/dev/sdg"
    volume_size = 5
    volume_type = "gp2"
    delete_on_termination = false
    encrypted = true
  }
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use