AWS Config Rule: EC2 EBS Encryption by Default

EC2_EBS_ENCRYPTION_BY_DEFAULT

Fernando Honig

Last Update één jaar geleden

Description: Check that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.


Trigger type: Periodic


AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich) Region


How to Resolve Manually

To resolve this manually, login into your AWS Management Console and go to EC2 under Services.


In your EC2 Dashboard, select on the right column in Account attributes -> EBS Encryption.


Click on Manage and click on Enable and select the Default encryption key. This needs to be done in every region and AWS Account where you have resources or plan to launch EBS volumes.


How to Resolve with StackZone 

With StackZone you can enable a remediation to encrypt all new volumes created in all accounts and enabled regions.


Go to Baseline Services -> Config Rules Regional -> EBS and enable EBS Volumes Encrypted Remediation


This will create an EBS KMS Key that will encrypt all new volumes created in your AWS Organization and the KMS key allows the entire Organization to decrypt it.

This means in case of a disaster you can use the volumes and the snapshots generated from it in a different account.


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us