HIGH
Source
Trivy
ID
AVD-AWS-0131

Instance with unencrypted block device.

Block devices should be encrypted to ensure sensitive data is held securely at rest.

Impact

The block device could be compromised and read from

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for EC2.
  3. Scroll down the left navigation panel and choose “Volumes”.
  4. Select the “Volume” that needs to be verified and click on its name from the “Name” column.
  5. Scroll down the page and under “Description” check for “Encrypted”. If the “Encrypted” option is showing “Not Encrypted” then the selected the “EBS Volume” is not encrypted.
  6. Repeat the steps number 2 - 5 to check other “EBS Snapshot” in the AWS region.
  7. Select the unencrypted “EBS Volume” that needs to be encrypted and click on the “Actions” button at the top panel and click on the “Create Snapshot” option.
  8. Provide the description of the new snapshot in the “Create Snapshot” dialog box and click on the “Create Snapshot” button.
  9. Scroll down the left navigation panel and choose “Snapshots”.
  10. Select the new “EBS Snapshot” created and click on the “Actions” button at the top panel and click on the “Copy” option.
  11. In the “Copy Snapshot” dialog box select the box “Encrypt this snapshot” next to “Encryption” and choose the “Master key” from the dropdown menu.
  12. Click on the “Copy” button to copy the selected “EBS Snapshot”.
  13. Select the new EBS snapshot and click on the “Actions” button at the top panel and click on the “Create Volume” option.
  14. In the “Create Volume” dialog box verify the “Encryption” option is enabled.
  15. Click on the “Create Volume” button to create the new “EBS Encrypted Volume”.
  16. Scroll down the left navigation panel and click on the “Volumes”.
  17. Select the volume that is not encrypted and click on the “Action” button at the top and click on the “Detach Volume”.
  18. In the “Detach Volume” dialog box click on the “Yes,Detach” button.
  19. Select the newly encrypted EBS volume and click on the “Action” button at the top and click on the “Attach Volume”.
  20. In the “Attach Volume” dialog box select the EC2 instance and device name for the attachment.
  21. Repeat steps number 7 - 20 to ensure “EBS Volume” encryption is enabled.