Unecrypted EBS Snapshots contain all data on the original EBS volume in an unencrypted format, failing to protect this data from unauthorised decryption
Elastic Block Storage (EBS) functions like an on-demand hard disk drive from AWS. EBS is used as active storage for EC2 instances, serving as a virtual hard drive for snapshots or copies of active or paused volumes. Essentially, these snapshots capture the entire state of the disk at the time of creation, storing all the data on the drive. If a snapshot is not encrypted, the data is stored in plain text, which could include sensitive information such as code, databases, PKI, passwords, usernames, configurations, logs, and more.
If an unencrypted snapshot is shared, leaked, or accessed by unintended or malicious actors, all the data would be fully available for exploitation. Encrypting snapshots and their associated volumes adds a crucial layer of security. It requires that any access to the snapshot also involves permissions to use the AWS KMS key that encrypted it. AWS KMS keys offer robust access controls, ensuring that only authorized users can decrypt and access the data, with strict security enforced by default.
By encrypting snapshots with a KMS key, you gain full access control functionality from AWS KMS, protecting valuable disk data stored in snapshots. This encryption also controls where snapshots can be deployed, ensuring they remain within the intended geographical region, preventing sharing with unauthorized accounts, or being accessed by personnel outside automated backup processes. Given that snapshots often contain large amounts of sensitive data, both intentionally and unintentionally, encryption is essential to maintaining control over where the data resides and who can access it.
Should an encrypted volume be made public, without the permissions on the AWS KMS Key foreign accounts would not be able to decrypt the snapshot nullifying test AWS-EC2-11 - Public EBS Snapshots
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Encrypting the snapshot requires creating an encrypted EBS volume from the snapshot and then creating an encrypted snapshot from that volume. This is the same process originally used to create the volume but doing so in a manner that enables encryption on the resulting EBS snapshot.
A more important task during this process is to thoroughly analyse the data integrity and the history behind each unencrypted volume. As unencrypted volumes often have had little to no access control of their data it’s essential to review their usage history. This helps determine whether the volume has been accessed by unauthorized parties and if a breach has occurred. If a breach is identified, it’s important to assess the level of data risk involved and determine whether any organizational actions need to be taken.
Determining access can be specialized and utilizes tools such as custom tooling, additional AWS services such as CloudTrail and seasoned architectural knowledge to determine the full history of each volume. In time sensitive scenarios like these we offer architectural support which results in faster and accurate analysis of the situation as it unfolded.