Unencrypted EBS volumes

AWS-EC2-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for EBS volumes that are not encrypted at rest.

Why it matters

Unencrypted EBS volumes store data in plaintext on the underlying physical storage. If an EBS snapshot is accidentally shared publicly or cross-account, the data is immediately readable. AWS reported that misconfigured EBS snapshot sharing affected thousands of organizations in 2023. Encryption at rest using AES-256 through KMS protects against physical theft, unauthorized snapshot access, and compliance violations. Most compliance frameworks (HIPAA, PCI-DSS, SOC 2) require encryption at rest for all persistent storage. The performance overhead of EBS encryption is negligible on modern instance types with dedicated encryption hardware, and there is no additional cost for using the default aws/ebs KMS key.

Common causes

Unencrypted volumes exist on instances launched before EBS default encryption was enabled for the region. AMIs created from unencrypted volumes produce unencrypted volumes regardless of the default encryption setting. Teams migrating from on-premises or other cloud providers may launch instances without realizing EBS encryption is not automatic unless the regional default is enabled.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Enable EBS default encryption for the region:
aws ec2 enable-ebs-encryption-by-default --region REGION
# Migrate existing volumes via snapshot copy with encryption

Remediation: Terraform

resource "aws_ebs_encryption_by_default" "this" {
  enabled = true
}

resource "aws_ebs_volume" "example" {
  encrypted = true
}

Compliance mapping

This check maps to CIS 2.2.1 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.