Unencrypted EBS Volumes: A Silent Security Risk
Encryption in AWS is easy to enable — but just as easy to overlook. One of the critical checks we perform at Lensix is identifying EBS volumes that are not encrypted at rest.
π‘ Why it matters
Your security is at risk with unencrypted EBS volumes:
- Sensitive Data Exposure: If a volume or snapshot is leaked, stolen, or accidentally shared, the data is accessible in plaintext.
- Compliance Risk: Encryption of data at rest is a requirement under nearly every major security standard, including HIPAA, PCI-DSS, SOC 2, and ISO 27001.
- No Default Protection: AWS offers default encryption, but it must be explicitly enabled per region. If you haven't set it, your volumes may be unprotected.
- Snapshots Inherit the Problem: Unencrypted volumes lead to unencrypted snapshots — and any restored volumes from those snapshots will also be unencrypted unless manually overridden.
𧩠How Does It Happen?
There are many ways you can end up with unencrypted volumes:
- Encryption Not Enabled by Default: Many assume AWS encrypts everything by default — but unless you've configured it, new volumes remain unencrypted.
- Legacy Infrastructure: Older volumes created before security policies matured may lack encryption and remain unencrypted unless audited.
- IaC Gaps: Terraform, CloudFormation, or SDK-based automation that doesn't explicitly set Encrypted = true can silently create unencrypted volumes.
- Snapshot Cloning: Creating volumes from old snapshots without updating encryption settings perpetuates the problem.
β What to do about it
Audit - Use tools like Lensix or AWS Config to find unencrypted volumes and snapshots.
Snapshot, Encrypt, Restore - Safely Migrate Unencrypted Volumes.
Set Encryption by Default - Enable account-level default encryption in each AWS region.
Update Infrastructure Code - Ensure templates enforce encryption on new volumes.
Consider CMKs - Use Customer Managed Keys if your security team requires rotation, granular auditability, or tighter key controls.
π Alternatives
If you're not ready to update all volumes:
- Start with data volumes rather than root disks. These are more likely to contain sensitive data.
- Phase the migration by tag or workload.
- Use a time-based suppression in Lensix to ensure you follow up.
β οΈ Common caveats
Here are some things to consider before taking action:
- You can't enable encryption in-place: An existing EBS volume cannot be encrypted directly.
- Cross-account use of encrypted volumes requires key permissions (especially when using CMKs).
- Some older instance types don't support encryption — though this is increasingly rare.
Bottom line
Unencrypted EBS volumes are a quiet but significant risk. Encryption is simple, free, and essential. Lensix can help ensure you stay on top of the risk.
