AWS-023 Amazon Web Services (AWS)

EBS volume encryption-by-default is enabled per region.

EBS volume encryption-by-default is enabled per region.

Domain
Amazon Web Services (AWS)
Area
Data Protection
Automated / manual
Automated

Risk if it fails

Unencrypted disks expose data on snapshot/clone.

An attacker who copies a disk snapshot can mount it and read everything. Encryption makes a stolen copy unreadable without the key.

How Tess tests it

1 test — each concludes only on cited evidence.

EBS volume encryption-by-default is enabled per region.

Automated
Procedure
Confirm EBS encryption by default is on.

Read-only command 

aws ec2 get-ebs-encryption-by-default

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-023 against your evidence?

Book a demo