Finding unencrypted AWS EBS Volumes at scale

ecuring data is the biggest challenge when using Public Cloud such as AWS.  The data in the public cloud is a frequent target for hackers. The user handles the security of its cloud assets under the shared responsibility model. Cloud asset security requires careful cloud resources configuration.

The need for encryption

For many applications, data must be quickly accessible and need long term persistence. For such cases, the AWS EBS volume is an ideal choice. Many such applications, process and store critical information on volume, including PII, passwords.  

The S3 buckets are already famous for leaking sensitive data due to misconfigurations. Often another critical source of the data leakage is ignored. At DEF CON 27, Ben Morris presented “More Keys than a Piano: Finding Secrets in Publicly Exposed EBS Volumes”. His findings were shocking. He found sensitive data such as passwords, SSH private keys, TLS certificates, source code, API keys etc on the EBS volumes. Thus even when a server is not exposed to the internet the EBS volumes can prove a critical security threat.

Even when an EC2 instance is not exposed to the internet the AWS EBS volumes may leak sensitive data.

Ways to mitigate the risk

To avoid Amazon EBS security risks, limit snapshot access to particular AWS users. Also, enable encryption for these EBS volumes.

Enable EBS volume encryption to protect:

• data at rest inside the volume,
• data in transit between the volume and the instance,
• snapshots created from the volume, and
• volumes created from those snapshots.

AWS managed KMS keys are used by default, to encrypt EBS volumes. Or, you can provide a customer-managed key as the default KMS key for EBS encryption. You can provide a such KMS key via the AWS console and CLI.

To enable EBS volume encryption for the volume at the time of creation, select the Encrypt this volume checkbox. By default, this option is not selected.

You may also enable the encryption for existing EBS volumes. For that you first need to find unencrypted EBS volumes.

Finding unencrypted EBS Volumes

(Update 14 March 2023) Security Compliance Checks

Recently CloudYali launched AWS Security Compliance feature. This feature currently supports controls for CIS Amazon Web Services Foundations Benchmark 1.4.0 and AWS Foundational Security Best Practices controls. The CIS Amazon Web Services Foundations Benchmark 1.4.0 control

2.2.1 Ensure EBS volume encryption is enabled helps to identify EBS volumes which are unencrypted.

You may directly visit the Cloudyali dashboard Security tab and all such EBS volumes will be identified and listed in the failed resources list.

Using AWS Console

The AWS Console is useful to identify unencrypted EBS volumes. An EC2 global search is a good option when you want to identify such volumes in a specific AWS region. This is a simple and easy way to identify EBS volumes in a few regions and AWS accounts. All you need to do is visit each region in each AWS account one by one. Yet this is not a scalable way if you're planning to search in many regions and accounts.

Using AWS CLI

You can find out all the EBS volumes by running the describe-volumes command for all the accounts and all the regions one by one.

aws ec2 describe-volumes --filters Name=encrypted,Values=false | jq '.Volumes[] | .VolumeId ,.Encrypted'

Using AWS APIs

Using AWS APIs is a good choice if you have a larger cloud footprint and need to perform these checks often. Using AWS APIs in your favorite programming language definitely helps to iterate over every region in every AWS account.

import boto3

ec2_client = boto3.client('ec2', 'us-east-1')
unencrypted_volumes = ec2_client.describe_volumes(Filters=[{
   'Name': 'encrypted',
   'Values': ['false']
}])

Needless to say, run this script in all the regions, and all accounts.

Using CloudYali Resource Attribute Search

CloudYali resource attribute search helps to find cloud resources based on their attributes. The default scope of this search is across all accounts and regions. It is super easy to find unencrypted EBS volumes with CloudYali.

CloudYali also provides this search as a managed rule. Under the Rules tab locate the Unencrypted EBS volumes rule.

Run this rule to list all the unencrypted AWS EBS volumes from all AWS accounts and regions in one place. All it needs is a single click. Use the ‘Export to CSV’ option to export this list as CSV to use in reports, or as an input to your remediation workflow.

Remediation Steps

New EBS Volume creation

For new EBS volumes you can specify the encryption option in AWS console or AWS CLI.

aws ec2 create-volume \
    --size 120 \
    --encrypted \
    --availability-zone us-east-1a

Existing unencrypted EBS Volumes

For already existing EBS volumes that are not encrypted, the process is a bit involved. It is not possible to directly enable encryption on existing EBS volumes. For such volumes, you need to re-create the EBS volumes and then turn the encryption on.

• Create a new snapshot from your non-encrypted volume. Use the create-snapshot CLI command for this purpose. The output would give a snapshot identifier SnapshotId which will be used in the next step as input.

aws ec2 create-snapshot  --volume-id vol-a234f67890abcdef0 --description "This is original volume snapshot"
  
Output:

{
    "Description": "This is original volume snapshot",
    "Tags": [],
    "Encrypted": false,
    "VolumeId": "vol-a234f67890abcdef0",
    "State": "pending",
    "VolumeSize": 8,
    "StartTime": "2022-02-28T21:06:01.000Z",
    "Progress": "",
    "OwnerId": "012345678910",
    "SnapshotId": "snap-0d6877671789bd71f"
}

• Using SnapshotId from previous step as source, create an encrypted copy of the snapshot

aws ec2 copy-snapshot \
    --source-region us-east-1 \
    --source-snapshot-id snap-0d6877671789bd71f \
    --encrypted \
    --kms-key-id alias/my-kms-key
    --description "This is the copied (and unencrypted) snapshot."

Output:
{
    "SnapshotId": "snap-076877671788be71b"
}

• Create a new volume from this encrypted snapshot with create-volume CLI. The output of this command will give you the volume identifier which now can be used in place of the original unencrypted EBS volume.

aws ec2 create-volume
	--region us-east-1
	--availability-zone us-east-1a
	--snapshot-id snap-076877671788be71b
	--volume-type gp2 
	--encrypted
  
Output:
{
    "AvailabilityZone": "us-east-1a",
    "Encrypted": true,
    "VolumeType": "gp2",
    "VolumeId": "vol-de312703",
    "State": "creating",
    "SnapshotId": "snap-076877671788be71b",
    "Size": 120
}

• Now it is safe to detach the original unencrypted EBS volume and use the new volume that we just created in its place.

aws ec2 detach-volume  --volume-id vol-a234f67890abcdef0

aws ec2 attach-volume --volume-id vol-de312703 --instance-id i-01473ef562b79480 --device /dev/sdf

Output:
{
    "AttachTime": "2022-02-28T21:16:03.000Z",
    "InstanceId": "i-01473ef562b79480",
    "VolumeId": "vol-dd313803",
    "State": "attaching",
    "Device": "/dev/sdf"
}

‍

References

• New EBS Encryption for Additional Data Protection
• New – Encrypted EBS Boot Volumes
• Amazon EBS Encryption
• Copying an Amazon EBS Snapshot

‍