> For the complete documentation index, see [llms.txt](https://docs.sprinto.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sprinto.com/monitors/encryption-and-backup-monitoring/how-to-resolve-sprinto-check-for-encrypting-ebs-volumes-attached-to-ec2-instances.md).

# How to resolve Sprinto check for encrypting EBS Volumes attached to EC2 Instances

### About

Sprinto Check: AWS EBS volume should be encrypted

Ensuring data encryption at rest is a crucial security measure, particularly in public cloud environments. Encryption is essential to meet various compliance requirements such as ISO27001, PCI-DSS, SOC-2, and more. This article guides you through encrypting AWS Elastic Block Store (EBS) volumes attached to EC2 instances using AWS Key Management Service (KMS).

### Purpose

The purpose of the Sprinto check for AWS EBS Volume Encryption is to enhance data security by encrypting EBS volumes and meeting compliance standards and best practices. This implementation helps you:

* Data Security: Protect sensitive data stored on EBS volumes by encrypting it at rest.
* Compliance Requirements: Fulfill compliance requirements for standards like ISO27001, PCI-DSS, SOC-2, etc.
* Sprinto Check Passing: Update the Sprinto check status to "Passing" after implementing the recommended encryption measures.

### How to Implement

To encrypt AWS EBS volumes attached to EC2 instances, follow these steps within the AWS Management Console:

#### Before you Begin

* Ensure that you have the necessary permissions to modify EC2 and KMS settings.
* Log in to Sprinto as an administrator.

#### Encryption Implementation

1. Create KMS Key:

   * Login to your AWS account and navigate to IAM > Encryption keys.
   * Select the region you want to use and create the key.
   * Provide Alias's name (required), Tag (optional), an IAM user with administrative privilege over this key, and IAM users and roles that can use this key for encryption and decryption.

   <figure><img src="https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/72080440695/original/wTRDoSjNOtakk3MYC26KLDLwSMH5aoD7AQ.png?1704711560" alt="" width="563"><figcaption></figcaption></figure>
2. Encrypt EBS Volumes:\
   Note: Do not delete the KMS key in use, as deleting it makes all data encrypted under that key unrecoverable.
   * Stop your EC2 instance.
   * Create an EBS snapshot of the volume you want to encrypt.
   * Copy the EBS snapshot, encrypting the copy using the key created in Step 1.
   * Create a new EBS volume from your new encrypted EBS snapshot. The new EBS volume will be encrypted.
   * Detach the original EBS volume and attach your new encrypted EBS volume, ensuring the device name matches (/dev/xvda1, etc.).
   * Start the EC2 instance.
3. Post-Encryption Steps:
   * Now, you have an EC2 instance with encrypted EBS volumes.
   * If required, on the Sprinto app, go to Security Hub > Infrastructure, then select your EBS service and click the sync button from the top bar to refresh and sync the data.

#### Additional Resources

Watch the video below to learn how to ensure that all future EBS volumes stay encrypted.

#### Video Guide

Once the encryption is enabled, Sprinto retrieves the changes from your AWS account and sets the assigned Sprinto check status to "Passing.”

In case of any questions or concerns, please get in touch with [Sprinto Support](mailto:www.support@sprinto.com). We're here to assist you with your encryption implementation.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sprinto.com/monitors/encryption-and-backup-monitoring/how-to-resolve-sprinto-check-for-encrypting-ebs-volumes-attached-to-ec2-instances.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.