Create ec2v3.tf

[caswalker]

No description provided.

[bridgecrew]

Bridgecrew has found infrastructure configuration errors in this PR ⬇️

[bridgecrew]

  Ensure S3 buckets are encrypted with KMS by default
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_56

How to Fix

resource "aws_s3_bucket" "mybucket" {
  ...
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.mykey.arn
 +      sse_algorithm     = "aws:kms"
      }
    }
  }
}

Description

TBA

Dependent Resources

Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

[bridgecrew]

  Ensure S3 bucket has cross-region replication enabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_72

How to Fix

resource "aws_s3_bucket" "test" {
  ...
+  replication_configuration {
+    role = aws_iam_role.replication.arn
+    rules {
+      id     = "foobar"
+      prefix = "foo"
+      status = "Enabled"
+
+      destination {
+        bucket        = aws_s3_bucket.destination.arn
+        storage_class = "STANDARD"
+      }
+    }
+  }
}

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

Dependent Resources

Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

[bridgecrew]

  Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
    Resource: aws_ebs_volume.web_host_storage | ID: BC_AWS_GENERAL_109

How to Fix

resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
+ kms_key_id = "ckv_kms"
  tags = {
    Name = "HelloWorld"
  }
}

Description

Amazon EBS automatically creates a unique AWS managed key in each Region where you store AWS resources. This KMS key has the alias alias/aws/ebs. By default, Amazon EBS uses this KMS key for encryption. Alternatively, you can specify a symmetric customer managed key that you created as the default KMS key for EBS encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Dependent Resources

Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

[bridgecrew]

  Ensure VPC subnets do not assign public IP by default
    Resource: aws_subnet.web_subnet2 | ID: BC_AWS_NETWORKING_53

How to Fix

resource "aws_subnet" "test" {
 ...
+ map_public_ip_on_launch = false
  }

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

Dependent Resources

Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

[bridgecrew]

  Ensure VPC subnets do not assign public IP by default
    Resource: aws_subnet.web_subnet | ID: BC_AWS_NETWORKING_53

How to Fix

resource "aws_subnet" "test" {
 ...
+ map_public_ip_on_launch = false
  }

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

Dependent Resources

Calculating...

🎉   Fixed by commit b500196 - Create ec2v3.tf

[prisma-cloud-devsecops]

  AWS Default Security Group does not restrict all traffic
    Resource: aws_vpc.web_vpc | ID: BC_AWS_NETWORKING_4

How to Fix

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.ok_vpc.id
}

Description

A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.

We recommend that your default security group restricts all inbound and outbound traffic. The default VPC in every region should have its default security group updated to comply with this recommendation. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups. This in-turn reduces the exposure of those resources.

Benchmarks

• SOC2 CC6.3.3
• PCI-DSS V3.2.1 1.3, 2.1
• PCI-DSS V3.2 2
• HIPAA 164.312(E)(1)
• NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
• ISO27001 A.13.1.3
• CIS AWS V1.2 4.4
• FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

[prisma-cloud-devsecops]

Suggested change

	resource "aws_instance" "web_host" {
	*_block_device {
	encrypted = true
	}
	}

  EBS volumes do not have encrypted launch configurations
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_13

Description

Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling. When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.

Benchmarks

• PCI-DSS V3.2 3

[prisma-cloud-devsecops]

Suggested change

	resource "aws_s3_bucket" "flowbucket" {
	server_side_encryption_configuration {
	rule {
	apply_server_side_encryption_by_default {
	sse_algorithm = "aws:kms"
	}
	}
	}
	}

  S3 buckets are not encrypted with KMS
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_56

Description

TBA

[prisma-cloud-devsecops]

Suggested change

	resource "aws_s3_bucket" "flowbucket" {
	versioning {
	enabled = true
	}
	}

  AWS S3 object versioning is disabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_16

Description

S3 versioning is a managed data backup and recovery service provided by AWS. When enabled it allows users to retrieve and restore previous versions of their buckets.

S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.

Benchmarks

• PCI-DSS V3.2.1 10.5.3
• FEDRAMP (MODERATE) CP-10, SI-12

[prisma-cloud-devsecops]

  Not every Security Group rule has a description
    Resource: aws_security_group.web-node | ID: BC_AWS_NETWORKING_31

Description

Descriptions can be up to 255 characters long and can be set and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and the AWS APIs.

We recommend you add descriptive text to each of your Security Group Rules clarifying each rule's goals, this helps prevent developer errors.

Benchmarks

• SOC2 CC6.3.3
• ISO27001 A.10.1.1

[prisma-cloud-devsecops]

  AWS Security Group allows all traffic on SSH port 22
    Resource: aws_security_group.web-node | ID: BC_AWS_NETWORKING_1

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Benchmarks

• SOC2 CC6.3.3
• PCI-DSS V3.2.1 1.2.1, 1.3, 2.2.2
• PCI-DSS V3.2 2
• HIPAA 164.312(E)(1)
• NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
• ISO27001 A.10.1.1
• CIS AWS V1.2 4.1
• CIS AWS V1.3 5.2
• FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

[prisma-cloud-devsecops]

Suggested change

	}
	monitoring = true
	}

  Detailed monitoring for EC2 instances is disabled
    Resource: aws_instance.web_host | ID: BC_AWS_LOGGING_26

Description

TBA

[prisma-cloud-devsecops]

  S3 bucket cross-region replication disabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_72

How to Fix

resource "aws_s3_bucket" "test" {
  ...
+  replication_configuration {
+    role = aws_iam_role.replication.arn
+    rules {
+      id     = "foobar"
+      prefix = "foo"
+      status = "Enabled"
+
+      destination {
+        bucket        = aws_s3_bucket.destination.arn
+        storage_class = "STANDARD"
+      }
+    }
+  }
}

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

[prisma-cloud-devsecops]

  terraform build demo
    Resource: aws_s3_bucket.flowbucket | ID: 807152304871829504_AWS_1643881781204

[prisma-cloud-devsecops]

  S3 Bucket does not have public access blocks
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_NETWORKING_52

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}

resource "aws_s3_bucket_public_access_block" "access_good_1" {
  bucket = aws_s3_bucket.bucket_good_1.id

  block_public_acls   = true
  block_public_policy = true
}

Description

When you create an S3 bucket, it is good practice to set the additional resource **aws_s3_bucket_public_access_block** to ensure the bucket is never accidentally public.

We recommend you ensure S3 bucket has public access blocks. If the public access block is not attached it defaults to False.

[prisma-cloud-devsecops]

Suggested change

	resource "aws_instance" "web_host" {
	ebs_optimized = true
	}

  EC2 EBS is not optimized
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_68

Description

TBA

[prisma-cloud-devsecops]

  Instance Metadata Service version 1 is enabled
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_31

How to Fix

resource "aws_instance" "example" {
  ...
  instance_type     = "t2.micro"
+   metadata_options {
        ...
+       http_endpoint = "enabled"
+       http_tokens   = "required"
+  }
  ...
}

Description

The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata. You can access instance metadata from a running instance using one of the following methods: * Instance Metadata Service Version 1 (IMDSv1) – a request/response method * Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

As a request/response method IMDSv1 is prone to local misconfigurations:

• Open proxies, open NATs and routers, server-side reflection vulnerabilities.
• One way or another, local software might access local-only data.

Benchmarks

• FEDRAMP (MODERATE) AC-6

[prisma-cloud-devsecops]

  Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
    Resource: aws_ebs_volume.web_host_storage | ID: BC_AWS_GENERAL_109

How to Fix

resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
+ kms_key_id = "ckv_kms"
  tags = {
    Name = "HelloWorld"
  }
}

Description

Amazon EBS automatically creates a unique AWS managed key in each Region where you store AWS resources. This KMS key has the alias alias/aws/ebs. By default, Amazon EBS uses this KMS key for encryption. Alternatively, you can specify a symmetric customer managed key that you created as the default KMS key for EBS encryption. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

[prisma-cloud-devsecops]

  All S3 Buckets must have a tag with key Classification and have versioning enabled
    Resource: aws_s3_bucket.flowbucket | ID: 807152304871829504_AWS_1643813941482

[prisma-cloud-devsecops]

Suggested change

resource "aws_subnet" "web_subnet2" {

  VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.web_subnet2 | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

[prisma-cloud-devsecops]

  AWS access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_13

How to Fix

resource "aws_s3_bucket" "bucket" {
  acl    = var.s3_bucket_acl
  bucket = var.s3_bucket_name
  policy = var.s3_bucket_policy

  force_destroy = var.s3_bucket_force_destroy
  versioning {
    enabled    = var.versioning
    mfa_delete = var.mfa_delete
  }

+  dynamic "logging" {
+    for_each = var.logging
+    content {
+      target_bucket = logging.value["target_bucket"]
+      target_prefix = "log/${var.s3_bucket_name}"
+    }
+  }
}

Description

Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

Benchmarks

• HIPAA 164.312(B) Audit controls

[prisma-cloud-devsecops]

Suggested change

resource "aws_subnet" "web_subnet" {

  VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.web_subnet | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

[prisma-cloud-devsecops]

  EC2 user data exposes secrets
    Resource: aws_instance.web_host | ID: BC_AWS_SECRETS_1

How to Fix

resource "aws_instance" "web" {
    ...
    instance_type = "t3.micro"
-    user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}

Description

**User Data** is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This code is not encrypted.

Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.

[prisma-cloud-devsecops]

Suggested change

	resource "aws_s3_bucket" "flowbucket" {
	server_side_encryption_configuration {
	rule {
	apply_server_side_encryption_by_default {
	sse_algorithm = "AES256"
	}
	}
	}
	}

  Data stored in the S3 bucket is not securely encrypted at rest
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_14

Description

SSE helps prevent unauthorized access to S3 buckets. Encrypting and decrypting data at the S3 bucket level is transparent to users when accessing data.

Benchmarks

• PCI-DSS V3.2.1 3.4
• PCI-DSS V3.2 3
• NIST-800-53 AC-17, SC-2
• CIS AWS V1.3 2.1.1
• FEDRAMP (MODERATE) SC-28

[prisma-cloud-devsecops]

⚠️   Due to d9b97e2 - Bridgecrew bot fix for ec2v3.tf - 19 new errors were added

Change details

Error ID	Change	Path	Resource
BC_AWS_GENERAL_72	Added	/ec2v3.tf	aws_s3_bucket.flowbucket
BC_AWS_GENERAL_68	Added	/ec2v3.tf	aws_instance.web_host
BC_AWS_LOGGING_26	Added	/ec2v3.tf	aws_instance.web_host
BC_AWS_NETWORKING_53	Added	/ec2v3.tf	aws_subnet.web_subnet2
BC_AWS_NETWORKING_53	Added	/ec2v3.tf	aws_subnet.web_subnet
BC_AWS_GENERAL_31	Added	/ec2v3.tf	aws_instance.web_host
BC_AWS_SECRETS_1	Added	/ec2v3.tf	aws_instance.web_host
BC_AWS_S3_16	Added	/ec2v3.tf	aws_s3_bucket.flowbucket
BC_AWS_S3_14	Added	/ec2v3.tf	aws_s3_bucket.flowbucket
BC_AWS_S3_13	Added	/ec2v3.tf	aws_s3_bucket.flowbucket
BC_AWS_GENERAL_13	Added	/ec2v3.tf	aws_instance.web_host
BC_AWS_NETWORKING_31	Added	/ec2v3.tf	aws_security_group.web-node
BC_AWS_NETWORKING_1	Added	/ec2v3.tf	aws_security_group.web-node
BC_AWS_NETWORKING_4	Added	/ec2v3.tf	aws_vpc.web_vpc
807152304871829504_AWS_1643881781204	Added	/ec2v3.tf	aws_s3_bucket.flowbucket
807152304871829504_AWS_1643813941482	Added	/ec2v3.tf	aws_s3_bucket.flowbucket
BC_AWS_GENERAL_109	Added	/ec2v3.tf	aws_ebs_volume.web_host_storage
BC_AWS_NETWORKING_52	Added	/ec2v3.tf	aws_s3_bucket.flowbucket
BC_AWS_GENERAL_56	Added	/ec2v3.tf	aws_s3_bucket.flowbucket

[prisma-cloud-devsecops]

Prisma Cloud has found infrastructure configuration errors in this PR ⬇️

[prisma-cloud-devsecops]

  AWS Security Group allows all traffic on SSH port 22
    Resource: aws_security_group.web-node | ID: BC_AWS_NETWORKING_1

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Benchmarks

• SOC2 CC6.3.3
• PCI-DSS V3.2.1 1.2.1, 1.3, 2.2.2
• PCI-DSS V3.2 2
• HIPAA 164.312(E)(1)
• NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
• ISO27001 A.10.1.1
• CIS AWS V1.2 4.1
• CIS AWS V1.3 5.2
• FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

[prisma-cloud-devsecops]

  S3 bucket cross-region replication disabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_GENERAL_72

How to Fix

resource "aws_s3_bucket" "test" {
  ...
+  replication_configuration {
+    role = aws_iam_role.replication.arn
+    rules {
+      id     = "foobar"
+      prefix = "foo"
+      status = "Enabled"
+
+      destination {
+        bucket        = aws_s3_bucket.destination.arn
+        storage_class = "STANDARD"
+      }
+    }
+  }
}

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

[prisma-cloud-devsecops]

  AWS Default Security Group does not restrict all traffic
    Resource: aws_vpc.web_vpc | ID: BC_AWS_NETWORKING_4

How to Fix

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.ok_vpc.id
}

Description

A VPC comes with a default security group that has an initial setting denying all inbound traffic, allowing all outbound traffic, and allowing all traffic between instances assigned to the security group. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources.

We recommend that your default security group restricts all inbound and outbound traffic. The default VPC in every region should have its default security group updated to comply with this recommendation. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups. This in-turn reduces the exposure of those resources.

Benchmarks

• SOC2 CC6.3.3
• PCI-DSS V3.2.1 1.3, 2.1
• PCI-DSS V3.2 2
• HIPAA 164.312(E)(1)
• NIST-800-53 AC-17, CA-3, CA-9, CM-3, SC-2
• ISO27001 A.13.1.3
• CIS AWS V1.2 4.4
• FEDRAMP (MODERATE) AC-4, SC-7, SC-7(3)

[prisma-cloud-devsecops]

  terraform build demo
    Resource: aws_s3_bucket.flowbucket | ID: 807152304871829504_AWS_1643881781204

[prisma-cloud-devsecops]

  AWS access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_13

How to Fix

resource "aws_s3_bucket" "bucket" {
  acl    = var.s3_bucket_acl
  bucket = var.s3_bucket_name
  policy = var.s3_bucket_policy

  force_destroy = var.s3_bucket_force_destroy
  versioning {
    enabled    = var.versioning
    mfa_delete = var.mfa_delete
  }

+  dynamic "logging" {
+    for_each = var.logging
+    content {
+      target_bucket = logging.value["target_bucket"]
+      target_prefix = "log/${var.s3_bucket_name}"
+    }
+  }
}

Description

Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

Benchmarks

• HIPAA 164.312(B) Audit controls

[prisma-cloud-devsecops]

  Instance Metadata Service version 1 is enabled
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_31

How to Fix

resource "aws_instance" "example" {
  ...
  instance_type     = "t2.micro"
+   metadata_options {
        ...
+       http_endpoint = "enabled"
+       http_tokens   = "required"
+  }
  ...
}

Description

The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata. You can access instance metadata from a running instance using one of the following methods: * Instance Metadata Service Version 1 (IMDSv1) – a request/response method * Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

As a request/response method IMDSv1 is prone to local misconfigurations:

• Open proxies, open NATs and routers, server-side reflection vulnerabilities.
• One way or another, local software might access local-only data.

Benchmarks

• FEDRAMP (MODERATE) AC-6

[prisma-cloud-devsecops]

Suggested change

map_public_ip_on_launch = true

  VPC subnets should not allow automatic public IP assignment
    Resource: aws_subnet.web_subnet2 | ID: BC_AWS_NETWORKING_53

Description

VPC subnet is a part of the VPC having its own rules for traffic. Assigning the Public IP to the subnet automatically (on launch) can accidentally expose the instances within this subnet to internet and should be edited to 'No' post creation of the Subnet.

[prisma-cloud-devsecops]

  S3 Bucket does not have public access blocks
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_NETWORKING_52

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}

resource "aws_s3_bucket_public_access_block" "access_good_1" {
  bucket = aws_s3_bucket.bucket_good_1.id

  block_public_acls   = true
  block_public_policy = true
}

Description

When you create an S3 bucket, it is good practice to set the additional resource **aws_s3_bucket_public_access_block** to ensure the bucket is never accidentally public.

We recommend you ensure S3 bucket has public access blocks. If the public access block is not attached it defaults to False.

[prisma-cloud-devsecops]

Suggested change

	}
	versioning {
	enabled = true
	}
	}

  AWS S3 object versioning is disabled
    Resource: aws_s3_bucket.flowbucket | ID: BC_AWS_S3_16

Description

S3 versioning is a managed data backup and recovery service provided by AWS. When enabled it allows users to retrieve and restore previous versions of their buckets.

S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.

Benchmarks

• PCI-DSS V3.2.1 10.5.3
• FEDRAMP (MODERATE) CP-10, SI-12

[prisma-cloud-devsecops]

Suggested change

	}
	*_block_device {
	encrypted = true
	}

  EBS volumes do not have encrypted launch configurations
    Resource: aws_instance.web_host | ID: BC_AWS_GENERAL_13

Description

Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling. When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.

Benchmarks

• PCI-DSS V3.2 3