Sprinto Dashboard

How to resolve Sprinto check for encrypting EBS Volumes attached to EC2 Instances

About

Sprinto Check: AWS EBS volume should be encrypted

Ensuring data encryption at rest is a crucial security measure, particularly in public cloud environments. Encryption is essential to meet various compliance requirements such as ISO27001, PCI-DSS, SOC-2, and more. This article guides you through encrypting AWS Elastic Block Store (EBS) volumes attached to EC2 instances using AWS Key Management Service (KMS).

Purpose

The purpose of the Sprinto check for AWS EBS Volume Encryption is to enhance data security by encrypting EBS volumes and meeting compliance standards and best practices. This implementation helps you:

  • Data Security: Protect sensitive data stored on EBS volumes by encrypting it at rest.

  • Compliance Requirements: Fulfill compliance requirements for standards like ISO27001, PCI-DSS, SOC-2, etc.

  • Sprinto Check Passing: Update the Sprinto check status to "Passing" after implementing the recommended encryption measures.

How to Implement

To encrypt AWS EBS volumes attached to EC2 instances, follow these steps within the AWS Management Console:

Before you Begin

  • Ensure that you have the necessary permissions to modify EC2 and KMS settings.

  • Log in to Sprinto as an administrator.

Encryption Implementation

  1. Create KMS Key:

    • Login to your AWS account and navigate to IAM > Encryption keys.

    • Select the region you want to use and create the key.

    • Provide Alias's name (required), Tag (optional), an IAM user with administrative privilege over this key, and IAM users and roles that can use this key for encryption and decryption.

  2. Encrypt EBS Volumes: Note: Do not delete the KMS key in use, as deleting it makes all data encrypted under that key unrecoverable.

    • Stop your EC2 instance.

    • Create an EBS snapshot of the volume you want to encrypt.

    • Copy the EBS snapshot, encrypting the copy using the key created in Step 1.

    • Create a new EBS volume from your new encrypted EBS snapshot. The new EBS volume will be encrypted.

    • Detach the original EBS volume and attach your new encrypted EBS volume, ensuring the device name matches (/dev/xvda1, etc.).

    • Start the EC2 instance.

  3. Post-Encryption Steps:

    • Now, you have an EC2 instance with encrypted EBS volumes.

    • If required, on the Sprinto app, go to Security Hub > Infrastructure, then select your EBS service and click the sync button from the top bar to refresh and sync the data.

Additional Resources

Watch the video below to learn how to ensure that all future EBS volumes stay encrypted.

Video Guide

Once the encryption is enabled, Sprinto retrieves the changes from your AWS account and sets the assigned Sprinto check status to "Passing.”

In case of any questions or concerns, please get in touch with Sprinto Support. We're here to assist you with your encryption implementation.

PreviousHow To Resolve Sprinto Check For Maintaining Users Accounts Data Accessing Critical SystemNextHow to resolve Sprinto check for monitoring active connection count on Oracle Cloud Load Balancer