AWS EBS Volumes – Why it should be encrypted?

AWS EBS Volumes Encryption - Cloud Security

Organizations want maximum security for their cloud infrastructure. They want to focus on their business rather than worrying about the data and resources on the cloud. EBS stores crucial data in volumes and it is necessary to ensure that stored data is secured using AWS EBS volume encryption.

What is AWS EBS?

EBS is a block storage service provided by AWS which is used to store quickly accessible and high persistent data. Amazon EBS is suitable for EC2 instances by providing block-level storage volumes.

Why encrypt unencrypted EBS volumes?

There are mainly three varieties of volumes – General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic which differ in performance, characteristics, and cost. EBS volumes can be attached to an active instance in the same availability zone. EBS volumes are best-suited to be used as primary storage for file systems or database for any application which requires frequent updates and access to unformatted, raw data. EBS volumes can be used to perform long and continuous read/write operations as well as fast read/write operations.

AWS provides users to encrypt their EBS volumes to protect their sensitive data. Simplified encryption solution is provided by AWS to encrypt EBS volumes without the need to manage and secure key management infrastructure by the user. When an EBS volume is created and attached to a resource, data stored at rest as well as snapshots are encrypted. AWS KMS (Key Management Service) is used to perform cryptographic operations on EBS volumes. A default master key is automatically created to perform encryption and decryption when an EBS volume is created for the first time. The user has the provision of using its own CMK (Customer Master Key) which provides extra flexibility while defining access controls and allows users to create, rotate and disable encryption key specific to individual applications and users.

What happens when EBS volumes are not encrypted?

Unencrypted EBS volumes mean that data stored in your AWS EBS volumes might be at risk of potential security attack. Hence it is important to make sure that no compromise has been done as far as the security of your sensitive or confidential data is concerned. Users need to realize the importance of ensuring that their respective EBS volumes are encrypted so as to attain the maximum security level in your cloud environment.

How can Centilytics help you?

Centilytics provides a dedicated insight on EBS volume encryption and lists down all your EBS volumes which are not encrypted so that users can take note of them and act accordingly.

Insight descriptions:

Severity Description
Warning This indication will be displayed when the corresponding EBS volume is not encrypted
OK This indication will be displayed when the corresponding EBS volume is encrypted.

 

Description of further columns are as follows:

  1. Account Id: Shows the respective account ID of user’s account.AWS EBS Volumes-ss1
  2. Account Name: Shows corresponding account name to the user’s account.AWS EBS Volumes-ss2
  3. Region: Shows the region in which the corresponding snapshot exists.AWS EBS Volumes-ss3

 

  1. Identifier: Shows the unique snapshot Id of the snapshot.AWS EBS Volumes-ss4

 

  1. Volume Type: Shows the type of EBS volume being used. AWS EBS Volume Encryption-SS34

 

Compliances covered:

Compliance Name Reference No. Link
Trusted Advisor https://console.aws.amazon.com/trustedadvisor/home?#/category/security

 

Filters applicable:

Filter Name Description
Account Id Applying account Id filter will display all the public snapshots for the selected account Id.
Region Applying region filter will display all the public snapshots corresponding to the selected region.
Severity Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For eg- If the user has tagged some public snapshots by a resource tag named environment, then selecting an environment from the resource tags filter will display all those snapshots.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For eg- If the user has tagged some resource by a tag named environment and has given it a value say production (environment:production), then the user will be able to view data of all the resources which are tagged as “environment:production”. The user can use the tag value filter only when a tag name has been provided.

 

Read More:

[1] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

[2] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html