Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
ID |
ebs_volume_encrypted_cmk |
Severity |
low |
Vendor |
AWS |
Resource |
EBS |
Tags |
reachable |
Description
Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with EC2 instances. EBS volumes behave like raw, unformatted block devices. You can mount these volumes as devices on your instances. EBS volumes that are attached to an instance are exposed as storage volumes that persist independently from the life of the instance.
Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed.
Amazon EBS uses a default KMS key for encryption. Alternatively, you can specify a symmetric customer managed key that you created as the default KMS key for EBS encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.
Examples
CloudFormation
{
"Resources": {
"MyVolume": { (1)
"Type": "AWS::EC2::Volume",
"Properties": {
"Encrypted": true
}
}
}
}| 1 | KmsKeyId not set means default KMS Keys are used to perform encryption. |
Resources:
MyVolume: (1)
Type: AWS::EC2::Volume
Properties:
Encrypted: true| 1 | KmsKeyId not set means default KMS Keys are used to perform encryption. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"MyVolume": {
"Type": "AWS::EC2::Volume",
"Properties": { (1)
"Encrypted": true,
"KmsKeyId": {
"Ref": "KmsKeyId"
}
}
}
}
}| 1 | KmsKeyId set means customer KMS Keys are used to perform encryption. |
Resources:
MyVolume:
Type: AWS::EC2::Volume
Properties:
Encrypted: true
KmsKeyId: !Ref KmsKeyId (1)| 1 | KmsKeyId set means customer KMS Keys are used to perform encryption. |