UNKNOWN
Source
CloudSploit
ID
ebs-encrypted-snapshots

EBS Encrypted Snapshots

Ensures EBS snapshots are encrypted at rest

EBS snapshots should have at-rest encryption enabled through AWS using KMS. If the volume was not encrypted and a snapshot was taken the snapshot will be unencrypted.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the AWS Management Console.

  2. Select the “Services” option and search for EC2. Step

  3. Scroll down the left navigation panel and choose “Snapshots”.

  4. Select the “Snapshot” that needs to be verified and click on its name from the “Name” column.Step

  5. Scroll down the page and under “Description” check for “Encrypted”. If the “Encrypted” option is showing “Not Encrypted” then the selected the “EBS Snapshot” is not encrypted.Step

  6. Repeat the steps number 2 - 5 to check other “EBS Snapshot” in the AWS region.

  7. Select the unencrypted “EBS Snapshot” that needs to be encrypted and click on the “Actions” button at the top panel and click on the “Copy” option.Step

  8. In the “Copy Snapshot” dialog box select the box “Encrypt this snapshot” next to “Encryption” and choose the “Master key” from the dropdown menu.Step

  9. Click on the “Copy” button to copy the selected “EBS Snapshot”. Step

  10. Select the new EBS snapshot and click on the “Actions” button at the top panel and click on the “Create Volume” option.Step

  11. In the “Create Volume” dialog box verify the “Encryption” option is enabled.Step

  12. Click on the “Create Volume” button to create the new “EBS Encrypted Volume”.Step

  13. Scroll down the left navigation panel and click on the “Volumes”.Step

  14. Select the volume that is not encrypted and click on the “Action” button at the top and click on the “Detach Volume”.Step

  15. In the “Detach Volume” dialog box click on the “Yes,Detach” button. Step

  16. Select the newly encrypted EBS volume and click on the “Action” button at the top and click on the “Attach Volume”.Step

  17. In the “Attach Volume” dialog box select the EC2 instance and device name for the attachment.Step

  18. Repeat steps number 7 - 17 to ensure “EBS snapshots” are encrypted at rest.