EBS encryption by default
Description
EBS encryption enabled by default for all new volumes in a region.
⚠️ Risk Impact
Unencrypted EBS volumes expose data when access controls fail. Default encryption catches every new volume automatically.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
aws ec2 enable-ebs-encryption-by-default --region <region>. Configure default KMS key.
💀 Real-World Attack Scenario
An EC2 instance with unencrypted EBS was compromised. Attackers detached the volume + attached it to their own instance to read at filesystem level — bypassing the running OS. Default encryption would have made this attack infeasible.
💰 Cost of Non-Compliance
Unencrypted-EBS breach: $4.45M (avg).
📋 Audit Questions
- 1.EBS encryption-by-default enabled in all regions?
- 2.Default KMS key configured?
🎯 MITRE ATT&CK Mapping
🏗️ Infrastructure as Code Fix
resource "aws_ebs_encryption_by_default" "main" {
enabled = true
}
resource "aws_ebs_default_kms_key" "main" {
key_arn = aws_kms_key.ebs.arn
}⚡ Common Pitfalls
- ⛔Per-region setting — must enable in every region
- ⛔Default key is AWS-managed (not customer-managed)
- ⛔Legacy unencrypted volumes still exist
📈 Business Value
Default encryption catches every new volume — no human-in-loop required.
⏱️ Effort Estimate
5 minutes per region
EchelonGraph monitors EBS encryption status
🔗 Cross-Framework References
Automate CIS AWS 2.2.1 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →