What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

By:
In: SCS-C01
Tagged:
With: 1 Comment
Auditors for a health care company have mandated that all data volumes be encrypted at rest.Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.

What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume.

Configure an AWS Config rule to run on a recurring basis for volume encryption.

Set up Amazon Inspector rules for volume encryption to run on a recurring schedule.

Use CloudWatch Logs to determine whether instances were created with an encrypted volume.

Explanations:

Updating IAM user policies to require encrypted volumes does not provide a monitoring mechanism; it only enforces policy during instance creation. Existing volumes may remain unmonitored.

AWS Config can continuously monitor and assess the configuration of AWS resources, including EBS volume encryption. It can be set to run evaluations on a recurring basis, ensuring compliance with encryption requirements.

Amazon Inspector is designed for security assessments of applications and their configurations, not specifically for monitoring EBS volume encryption. It cannot directly check for encryption status on a recurring basis.

CloudWatch Logs can capture logs from EC2 instances but are not inherently designed to check for volume encryption status. This method would not provide a direct or efficient way to monitor encryption compliance.

2025-10-15

1 Comment

  1. Samantha
    Author

    I conclude that the answer is:
    Configure an AWS Config rule to run on a recurring basis for volume encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *

12 − 1 =