> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# EBS volume encrypted

### More Info:

Ensure EBS volumes are encrypted

### Risk Level

High

### Address

Security

### Compliance Standards

HITRUST, AWSWAF, CISAWS, CBP, SOC2, GDPR, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

        2. From the navigation bar, select the Region.

        3. From the navigation pane, select EC2 Dashboard.

        4. In the upper-right corner of the page, choose Account Attributes, Data protection and security.

        5. Choose Manage.

        6. Select Enable. You keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key.

        7. Choose Update EBS encryption.

        #
      </Accordion>

      <Accordion title="Using CLI">
        1. To view the encryption by default setting
           a. For a specific Region
           ```
           $ aws ec2 get-ebs-encryption-by-default --region region
           ```
           b.For all Regions in your account
           ```
           $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do   default=$(aws ec2 get-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region  --- $default  --- $kms_key"; done
           ```
        2. To enable encryption by default
           a. For a specific Region
           ```
           $ aws ec2 enable-ebs-encryption-by-default --region region
           ```
           b. For all Regions in your account
           ```
           $ for region in $(aws ec2 describe-regions --region us-east-1 --query "Regions[*].[RegionName]" --output text); do   default=$(aws ec2 enable-ebs-encryption-by-default --region $region --query "{Encryption_By_Default:EbsEncryptionByDefault}" --output text); kms_key=$(aws ec2 get-ebs-default-kms-key-id --region $region | jq '.KmsKeyId'); echo "$region  --- $default  --- $kms_key"; done
           ```
      </Accordion>

      <Accordion title="Using Python">
        To enable encryption by default for a region using Python, you can use the `boto3` library to interact with AWS resources. Here's a Python script equivalent to the steps mentioned:

        ```python theme={null}
        import boto3

        def enable_default_encryption(region):
            ec2 = boto3.client('ec2', region_name=region)
            response = ec2.enable_ebs_encryption_by_default()

            # Check if default encryption is successfully enabled
            if response['EbsEncryptionByDefault']:
                print("Default EBS encryption enabled successfully for region:", region)
            else:
                print("Failed to enable default EBS encryption for region:", region)

        if __name__ == "__main__":
            # Specify the region where you want to enable default encryption
            region = 'your-region'  # Replace 'your-region' with your desired AWS region
            enable_default_encryption(region)
        ```

        Replace `'your-region'` with the AWS region where you want to enable default encryption. You can find a list of AWS region codes [here](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints).

        Make sure you have appropriate AWS credentials configured either through environment variables, AWS CLI configuration, or IAM roles assigned to your EC2 instance if you're running this script on an EC2 instance.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

.
