AWS Config Rule: EC2 EBS Encryption by Default
EC2_EBS_ENCRYPTION_BY_DEFAULT
Fernando Honig
Last Update a year ago
Description: Check that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.
Trigger type: Periodic
AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich) Region
How to Resolve Manually
To resolve this manually, login into your AWS Management Console and go to EC2 under Services.
In your EC2 Dashboard, select on the right column in Account attributes -> EBS Encryption.
Click on Manage and click on Enable and select the Default encryption key. This needs to be done in every region and AWS Account where you have resources or plan to launch EBS volumes.
How to Resolve with StackZone
With StackZone you can enable a remediation to encrypt all new volumes created in all accounts and enabled regions.
Go to Baseline Services -> Config Rules Regional -> EBS and enable EBS Volumes Encrypted Remediation
This will create an EBS KMS Key that will encrypt all new volumes created in your AWS Organization and the KMS key allows the entire Organization to decrypt it.
This means in case of a disaster you can use the volumes and the snapshots generated from it in a different account.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here