Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
26Dashboards
1161Controls
568Queries
2Variables
GitHub
Loading controls...

Control: 7 EBS default encryption should be enabled

Description

This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled.

When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data. For more information, see Encryption by default in the Amazon EC2 User Guide for Linux Instances.

Note that following instance types do not support encryption: R1, C1, and M1.

Remediation

You can use the Amazon EC2 console to enable default encryption for Amazon EBS volumes.

To configure the default encryption for Amazon EBS encryption for a Region

  1. Open the Amazon EC2 console at.
  2. From the navigation pane, select EC2 Dashboard.
  3. In the upper-right corner of the page, choose Account Attributes, EBS encryption.
  4. Choose Manage.
  5. Select Enable. You can keep the AWS managed CMK with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed CMK.
  6. Choose Update EBS encryption.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_7 --share

SQL

This control uses a named query:

ec2_ebs_default_encryption_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_at_rest
foundational_security_item_id = ec2_7
plugin = aws
service = AWS/EC2