Skill323 estrellas del repoactualizado today
cis-aws-compute-2.2.1
This skill audits and remediates AWS EBS volume encryption settings across regions using AWS CLI or Console commands. Use it to verify that default encryption is enabled for new EBS volumes, which protects data at rest and meets encryption compliance requirements.
Instalar en Claude Code
Copiargit clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-2.2.1 && cp -r /tmp/cis-aws-compute-2.2.1/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-2.2.1 ~/.claude/skills/cis-aws-compute-2.2.1Después abre una sesión nueva de Claude Code; el skill carga automáticamente.
Definición
SKILL.md
# Ensure EBS volume encryption is enabled ## Description Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. ## Rationale Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken. ## Impact Enabling EBS encryption by default applies to all new volumes. Existing unencrypted volumes are not affected. This is configured per region. ## Audit Procedure ### Using AWS CLI 1. Run: ```bash aws --region <region> ec2 get-ebs-encryption-by-default ``` 2. Verify that `"EbsEncryptionByDefault": true` is displayed. 3. Review every region in-use. Note: EBS volume encryption is configured per region. ### Using AWS Console 1. Login to the EC2 console using https://console.aws.amazon.com/ec2/ 2. Under `Account attributes`, click `EBS encryption`. 3. Verify `Always encrypt new EBS volumes` displays `Enabled`. 4. Review every region in-use. Note: EBS volume encryption is configured per region. ## Expected Result The CLI should return `"EbsEncryptionByDefault": true` for every region in use. In the console, `Always encrypt new EBS volumes` should display `Enabled`. ## Remediation ### Using AWS CLI 1. Run: ```bash aws --region <region> ec2 enable-ebs-encryption-by-default ``` 2. Verify that `"EbsEncryptionByDefault": true` is displayed. 3. Repeat every region requiring the change. Note: EBS volume encryption is configured per region. ### Using AWS Console 1. Login to the EC2 console using https://console.aws.amazon.com/ec2/ 2. Under `Account attributes`, click `EBS encryption`. 3. Click `Manage`. 4. Click the `Enable` checkbox. 5. Click `Update EBS encryption`. 6. Repeat for every region requiring the change. Note: EBS volume encryption is configured per region. ## Default Value EBS encryption by default is disabled. It must be explicitly enabled per region. ## References 1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html 2. https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/ 3. AWS Config rule - ec2_ebs_encryption_by_default ## CIS Controls | Controls Version | Control | IG 1 | IG 2 | IG 3 | | ---------------- | ------------------------------------------ | ---- | ---- | ---- | | v8 | 3.11 Encrypt Sensitive Data at Rest | | x | x | | v7 | 14.8 Encrypt Sensitive Information at Rest | | | x | ## Profile Level 1 | Automated
Del mismo repositorio
cis-aws-compute-10.1Skill
Ensure Managed Platform updates is configured
cis-aws-compute-10.2Skill
Ensure Persistent logs is setup and configured to S3
cis-aws-compute-10.3Skill
Ensure access logs are enabled
cis-aws-compute-10.4Skill
Ensure that HTTPS is enabled on load balancer
cis-aws-compute-11.1Skill
Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS
cis-aws-compute-12.1Skill
Ensure AWS Config is Enabled for Lambda and Serverless
cis-aws-compute-12.10Skill
Ensure Lambda functions do not allow unknown cross account access via permission policies
cis-aws-compute-12.11Skill
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates