EBS volume encryption should use Customer Managed Keys
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | ec2 |
| Provider | AWS |
Description#
EBS volumes are encrypted using default AWS-managed keys instead of customer-managed KMS keys. This limits control over encryption settings such as key rotation, policy management, and access permissions.
Impact#
Relying on AWS-managed keys reduces the ability to enforce granular security controls and meet compliance requirements. If compromised, there is less visibility and flexibility in managing encryption keys, increasing the risk of unauthorized data access or regulatory violations.
Resolution#
Enable encryption using customer managed keys