Skip to main content
HashnodeHalimah's Blog

Command Palette

Search for a command to run...

Detecting Unencrypted EBS Volumes Using AWS Config

Published
4 min read
A
Azeez Halimat

Introduction

Data-at-rest security is a critical aspect of cloud security. In AWS, Amazon Elastic Block Store (EBS) volumes are commonly used to store application data, operating system files, and logs for EC2 instances. If these volumes are not encrypted, sensitive data may be exposed in the event of unauthorized access or snapshot leakage.

In this project, I implemented a solution using AWS Config to automatically detect unencrypted EBS volumes, validate the detection, and remediate the issue. This demonstrates how organizations can enforce continuous compliance for data-at-rest encryption

Project Overview

The goal of this project was to:

  1. Monitor EBS volumes using AWS Config

  2. Detect EBS volumes that are not encrypted

  3. Validate the detection using a real EC2 workload

AWS services used:

  1. AWS Config

  2. Amazon EC2

  3. Amazon EBS

  4. AWS KMS (for encryption)

Step 1: Enable AWS Config

AWS Config was enabled to record configuration changes for all supported resources.

Key settings:

All resources recorded

  1. Global resources enabled

  2. S3 bucket configured for configuration history

  3. To enable recording, go to settings and click on “start recording”

Explanation: AWS Config continuously evaluates AWS resources against defined compliance rules, allowing security teams to detect misconfigurations automatically.

Step 2: Add the ENCRYPTED_VOLUMES Rule

  1. Navigate to AWS Config → Rules

  2. Add an AWS managed rule

  3. Select: ENCRYPTED_VOLUMES

  4. Save the rule with default settings

What this rule does: It checks whether EBS volumes are encrypted using AWS Key Management Service (KMS).

✅ Encrypted volume → COMPLIANT

❌ Unencrypted volume → NON_COMPLIANT

Step 3: Create an EC2 Instance

To simulate a real production scenario:

  1. launched an EC2 instance. link to create an ec2 instance

    https://aws.amazon.com/ec2/getting-started/

  2. The instance automatically came with a default root EBS volume

  3. Note: This default volume was encrypted by default

Why this step matters: EBS volumes are typically used in conjunction with EC2 instances. Testing encryption in isolation is less realistic than attaching volumes to a running instance.

Step 4: Create an Unencrypted EBS Volume

  1. Navigate to EC2 → Volumes

  2. Create a new volume with:

  3. Volume type: gp3

  4. Size: 8 GiB or (leave as default)

  5. select the AZ where your EC2 is running

Don’t tick this box: ❌ Encryption disabled

⚠️ Important: The EBS volume must be created in the same Availability Zone (AZ) as the EC2 instance. EBS volumes can only be attached to EC2 instances within the same AZ.

Step 5: Detach the Default EBS Volume

When an EC2 instance is launched, AWS automatically attaches a default root EBS volume, which is usually encrypted by default.

To detach it:

  1. STOP THE EC2 INSTANCE

  1. Navigate to EC2 → Volumes

  2. Select the default EBS volume attached to the EC2 instance

  3. Click Actions → Detach volume

  4. Confirm the detachment

Step 6: Attach the Unencrypted EBS Volume

Next, attach the unencrypted EBS volume created earlier.

  1. In EC2 → Volumes, select the unencrypted EBS volume you created

  2. Click Actions → Attach volume

  3. Select the EC2 instance

  4. Choose a device name (for example: /dev/xvdf)

  5. Click Attach

⚠️ Important:
The EBS volume must be in the same Availability Zone (AZ) as the EC2 instance, otherwise it cannot be attached.

Step 7: Test (Observe Non-Compliance in AWS Config)

  1. Start your EC2 Instance

  2. Return to AWS Config → Rules

  3. Select ENCRYPTED_VOLUMES

After evaluation, the unencrypted volume is flagged as:

❌ NON_COMPLIANT

Details include:

Volume ID

Remediate the Issue (Encrypt the Volume)

AWS does not allow in-place encryption of existing EBS volumes. The correct remediation approach is:

Create a snapshot of the unencrypted volume

Copy the snapshot and enable encryption

Create a new EBS volume from the encrypted snapshot

Detach the unencrypted volume

Attach the encrypted volume to the EC2 instance

Why AWS enforces this: This approach preserves data integrity and prevents corruption during encryption.

(Insert screenshot: Snapshot encryption process)

Step 8: Verify Compliance After Remediation

Return to AWS Config → ENCRYPTED_VOLUMES

Wait for re-evaluation

Result: ✅ COMPLIANT

Conclusion

This project demonstrates how AWS Config can be used to detect and remediate unencrypted EBS volumes in a realistic EC2 environment. By enforcing encryption at rest, organizations can significantly reduce the risk of data exposure and meet compliance requirements.

#aws#security#aws-config#encryption

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Halimah's Blog

9 posts