Announcing Tami, Our New AI Cloud SecOps Agent Learn More

LET’S TALK

Automatically unencrypted EBS Volumes remediation using KMS keys

Download PDF
Table of Contents

Table of Contents

Download PDF

Description

This playbook describes how to remediate unencrypted EBS Volumes automatically. Amazon EBS encrypted volumes provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon EBS encryption to increase the data protection of your applications deployed in the cloud and to fulfill compliance requirements for encryption at rest. In addition, this guide explains how KMS integrates with EBS encrypted workflows to ensure seamless key management across AWS environments. Amazon EBS combined with KMS helps enforce best security practices, ensuring encryption consistency and compliance.

Severity Level

Unencrypted EBS volumes pose a high-severity security risk. They can expose sensitive data if compromised. This playbook addresses this critical issue by using Amazon EBS encryption with KMS to ensure all AWS volumes are encrypted and compliant.

Playbook Steps

1. Deploy an automated process to trace unencrypted EBS and Automated remediation:

  • AWS Config Rule - To trace unencrypted EBSs in the deployed region.
  • AWS System Manager Automation - To handle remediation for each non-compliant resource:
  1. Stop Instance
  2. Create a volume snapshot
  3. Encrypt Snapshot
  4. Detach unencrypted volume
  5. Attach new encrypted volume
  6. Restart Instance

2. Enable EBS encryption as default for all accounts.

3. Add SCP Deny policy for creation of an instance with unencrypted EBS.

Prerequisites

  • Workstation with AWS CLI and jq installed.
  • IAM permissions for CloudFormation, EC2, Systems Manager, Config, and KMS.
  • AWS Organizations configured with all features enabled.
  • AWS Config enabled and no existing "encrypted-volumes" Config rule.
  • AWS Systems Manager enabled.

Notes

  • Public-facing instances without static IP will get a new public IP after recreation.
  • Region-specific playbook.
  • If using a pre-existing KMS key, update the KMS key policy to add the remediation role.
  • AWS Config enabled and no existing "encrypted-volumes" Config rule.

Automation Stack Limitations

  • Refer to Auto Scaling Group section for ASG-managed assets.
  • No direct way to encrypt existing unencrypted volumes; workaround provided.
  • Encrypts all EBS volumes with the same AWS KMS.

Deployment

  • If no KMS ARN is provided, a new KMS CMK is created.
  • Deploy EBSEncryptionAutomation.yaml in CloudFormation.
  • Update Key policy to add EncryptionRemediationRole.

Usage

  • AWS Console: Config > Rules > encrypted-volumes.
  • Select the resource and click Remediate.
  • View progress in Systems Manager Automation.

Auto Scaling Group Remediation

1. Enable encryption by default.
2. Suspend Health Check in Auto Scaling Group.
3. Execute remediation.
4. Re-enable Health Check.

Enforce Service Control Policies

  • Create SCP in AWS Organizations using DenyUnencryptedEC2.json.

Enable Default EBS Encryption

  • Run enable-ebs-encryption-for-account.sh script with KMS key_id and optional AWS profile.

Frequently Asked Questions

What are the benefits of using Amazon EBS encrypted volumes with KMS?

Amazon EBS encrypted volumes with KMS provide secure data at rest, prevent unauthorized access, and simplify key management in AWS. This ensures compliance and consistent protection.

AWS Config continuously monitors resources and uses rules like encrypted-volumes to detect non-compliant, unencrypted volumes. This enables automated remediation for Amazon EBS resources.

Yes, you can use a pre-existing KMS key. Update the key policy to include the remediation role so EBS encrypted volumes can be created seamlessly.

For Auto Scaling Groups, suspend the health check process, execute the remediation, and then re-enable checks. This ensures encrypted Amazon EBS volumes are deployed correctly.

EBS encryption is region-specific. You must enable default encryption separately for each AWS region to ensure all Amazon EBS volumes are encrypted.

It creates a snapshot, encrypts it, detaches the unencrypted volume, and attaches the new EBS encrypted volume using AWS KMS for secure storage.

 

IAM roles must allow access to CloudFormation, EC2, Systems Manager, Config, and KMS in AWS to manage Amazon EBS encrypted volumes.

Yes, it integrates with AWS Config and KMS policies, aligning Amazon EBS encryption with broader security compliance frameworks and automation workflows.

Learn More About Tamnoon’s Managed Cloud Security

BOOK A MEETING

Learn More About Tamnoon’s Managed Service

BOOK A MEETING
Scroll to Top

Platform

Learn about Tamnoon's cloud security Al platform.

Learn More

Tami

The AI cloud security agent at Tamnoon’s core.

Integrations

See all the platforms Tamnoon works with.

Reporting and Compliance

Deep and relevant reporting to keep you compliant.

Agentic Prioritization

Make sure you’re working on the right issues.

Agentic Investigation

An AI-first process to get to the truth behind the alert.

Agentic Remediation

Custom-made remediation plans for every scenario.

CNAPP Copilot

Keep your backlog in check using AI built for SecOps.

CDR Copilot

An active, 24/7 Cloud SOC powered by AI.

Expert Supervision

Cloud security experts that know how to work with, not against, AI.

Agentic Cloud
Security

An AI-managed cloud security experience.

Expert-supervised Security

Expert AI Cloud SecOps backed by human experts.

Tool-agnostic Security

We work with the stack you already use

Cloud Detection and Response

An active, 24/7 Cloud SOC.

Full-cycle Remediation

Go from open → closed faster.


CNAPP Migration

Migrate between CNAPPs without losing coverage.

Crown Jewels

Focus on your most precious assets first.

Resources

Research & Interactive

Recent Content

Full CNAPP Demos

Watch on-demand demos from all major CNAPPs, filmed at our latest showcase.
HOW IT WORKS
LET’S TALK