lacework-global-90

Encrypt Elastic Block Store (EBS) Volumes

Description

An AWS EBS volume is a durable, block-level storage device that can attach to an EC2 instance. You can use EBS volumes as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application. By default, these volumes are not encrypted.

Remediation

It is not possible to directly encrypt an unencrypted volume. Instead, you can create a snapshot, then create an encrypted volume from that snapshot. Best practices recommend enabling encryption by default to encrypt new volumes and snapshots going forward.

To enable encryption by default for a Region

1. Log in to the AWS Management Console.

2. From the navigation bar, select the Region.

3. Click Services.

4. Click EC2.

5. Under Account Attributes, click EBS encryption.

6. Select Manage.

7. Select Enable under Always encrypt new EBS volumes.

8. Choose Update EBS encryption.

To create a snapshot using the console

1. Log in to the AWS Management Console.

2. Click Services.

3. Click EC2.

4. Choose Volumes under Elastic Block Store in the navigation pane.

5. Select a volume.

6. Under Actions, choose Create Snapshot.

7. Choose Create Snapshot.

To create an EBS volume from a snapshot using the console

1. Log in to the AWS Management Console.

2. Click Services.

3. Click EC2.

4. Choose Volumes under Elastic Block Store in the navigation pane.

5. Choose Create Volume.

6. For Snapshot ID, start typing the ID or description of the snapshot to create a volume from, and choose from the list of suggested options.

7. (If not using encryption by default) Select Encrypt this volume.

8. Fill in applicable volume fields.

9. Choose Create Volume.