EBS volumes are assessed for encryption at rest using AWS KMS.
The finding identifies volumes whose encrypted state is disabled, meaning data is stored unencrypted on block storage.
Risk
Unencrypted volumes or snapshots can be copied, shared, or recovered and reveal raw data, undermining confidentiality.
Adversaries with host or account access can read disks offline, harvest secrets, or alter system images, affecting integrity and enabling lateral movement.
prowler aws --checks ec2_ebs_volume_encryption
Recommendation
Encrypt all EBS volumes and enable encryption by default for new volumes and snapshot copies.
Apply least privilege to KMS keys, restrict snapshot sharing, and enforce defense in depth with policies and templates that prevent creation of unencrypted storage.
Remediation
aws ec2 create-snapshot --volume-id <VOLUME_ID> --description "Snapshot for encryption" && aws ec2 copy-snapshot --source-region <REGION> --source-snapshot-id <SNAPSHOT_ID> --encrypted --description "Encrypted snapshot" && aws ec2 create-volume --snapshot-id <ENCRYPTED_SNAPSHOT_ID> --availability-zone <AZ> --encrypted
- In the AWS Console, go to EC2 > Volumes and select the unencrypted volume
- Choose Actions > Create snapshot and wait for it to complete
- Open the snapshot, click Actions > Create volume, select the same Availability Zone, and check Encrypted, then create
- Stop the instance using the old volume
- Detach the old (unencrypted) volume
- Attach the new encrypted volume to the instance using the same device name
- Start the instance
- Verify the new volume shows Encrypted = Yes
Source Code
Resource Type
AwsEc2Volume