More Info:

Ensure EBS volumes are encrypted

Risk Level

High

Address

Security

Compliance Standards

HITRUST, AWSWAF, CISAWS, CBP, SOC2, GDPR, PCIDSS

Remediation

Using Console

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. From the navigation bar, select the Region.

  3. From the navigation pane, select EC2 Dashboard.

  4. In the upper-right corner of the page, choose Account Attributes, Data protection and security.

  5. Choose Manage.

  6. Select Enable. You keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key.

  7. Choose Update EBS encryption.

Using CLI

  1. To view the encryption by default setting

    a. For a specific Region

    $ aws ec2 get-ebs-encryption-by-default --region region

    b. For all Regions in your account

    $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do   default=$(aws ec2 get-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region  --- $default  --- $kms_key"; done

  2. To enable encryption by default

    a. For a specific Region

    $ aws ec2 enable-ebs-encryption-by-default --region region

    b. For all Regions in your account

    $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do   default=$(aws ec2 enable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region  --- $default  --- $kms_key"; done

Using Python

To enable encryption by default for a region using Python, you can use the boto3 library to interact with AWS resources. Here’s a Python script equivalent to the steps mentioned:

import boto3

def enable_default_encryption(region):
    ec2 = boto3.client('ec2', region_name=region)
    response = ec2.enable_ebs_encryption_by_default()

    # Check if default encryption is successfully enabled
    if response['EbsEncryptionByDefault']:
        print("Default EBS encryption enabled successfully for region:", region)
    else:
        print("Failed to enable default EBS encryption for region:", region)

if __name__ == "__main__":
    # Specify the region where you want to enable default encryption
    region = 'your-region'  # Replace 'your-region' with your desired AWS region
    enable_default_encryption(region)

Replace 'your-region' with the AWS region where you want to enable default encryption. You can find a list of AWS region codes here.

Make sure you have appropriate AWS credentials configured either through environment variables, AWS CLI configuration, or IAM roles assigned to your EC2 instance if you’re running this script on an EC2 instance.