Skill323 estrellas del repoactualizado today
cis-aws-compute-2.2.3
This CyberStrike AWS security skill audits and remediates unencrypted EBS volume snapshots in AWS environments. Use it when implementing data protection compliance requirements or conducting security assessments to ensure all EC2 EBS snapshots have encryption enabled, as unencrypted snapshots pose data exposure risks if compromised.
Instalar en Claude Code
Copiargit clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-2.2.3 && cp -r /tmp/cis-aws-compute-2.2.3/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-2.2.3 ~/.claude/skills/cis-aws-compute-2.2.3Después abre una sesión nueva de Claude Code; el skill carga automáticamente.
Definición
SKILL.md
# Ensure EBS volume snapshots are encrypted
## Description
Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service.
## Rationale
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
## Impact
Existing unencrypted snapshots must be copied with encryption enabled. The original unencrypted snapshots should then be deleted. EBS snapshot volume encryption is configured per snapshot.
## Audit Procedure
### Using AWS CLI
1. Run describe-snapshots:
```bash
aws ec2 describe-snapshots --owner-ids <account number> --filter Name=status,Values=completed --query "Snapshots[*].{ID:SnapshotId}"
```
2. This will provide a list of all the snapshots associated with that account in the region.
3. For every snapshot listed - Run describe-snapshots:
```bash
aws ec2 describe-snapshots --snapshot-id <snap-name> --query "Snapshots[*].{Encrypt:Encrypted}"
```
4. If the output reads `"Encrypt": true`, Encryption is set on the snapshot.
If the output reads `"Encrypt": false` refer to the remediation below.
Note: EBS snapshot volume encryption is configured per snapshot.
### Using AWS Console
1. Login to the EC2 console using https://console.aws.amazon.com/ec2/
2. Under `Elastic Block Store`, click `Snapshots`.
3. Click the snapshot you want to review.
4. Select the `Description` tab.
5. Review the `Encryption` setting.
6. If it reads `encrypted` you are all set.
If it is set to `Not Encrypted` refer to the remediation below.
Note: EBS snapshot volume encryption is configured per snapshot.
## Expected Result
All snapshots should return `"Encrypt": true` from the CLI. In the console, all snapshots should show as `encrypted` in the Encryption field.
## Remediation
### Using AWS CLI
Using the snapshot ids gathered from the Audit section:
1. Run copy-snapshot:
```bash
aws ec2 copy-snapshot --source-region <region> --source-snapshot-id <snap-id> --description "Name of the new snapshot" --encrypted
```
2. This will copy the existing unencrypted snapshot and set it to encrypted. The output will show the new SnapshotId.
3. Run describe-snapshots:
```bash
aws ec2 describe-snapshots --owner-ids <account id> --filter Name=status,Values=completed --query "Snapshots[*].{ID:SnapshotId}"
```
Once the new Snapshot shows in the list confirm encryption is set:
4. Run describe-snapshots:
```bash
aws ec2 describe-snapshots --snapshot-id <snap-name> --query "Snapshots[*].{Encrypt:Encrypted}"
```
5. Repeat steps 1-4 for the snapshots that need to be encrypted.
Delete snapshots that are no longer needed:
6. Run delete-snapshot:
```bash
aws ec2 delete-snapshot --snapshot-id <snap-name>
```
7. Repeat for all unencrypted snapshots that have been copied and encrypted.
Note: EBS snapshot volume encryption is configured per snapshot.
### Using AWS Console
1. Login to the EC2 console using https://console.aws.amazon.com/ec2/
2. Under `Elastic Block Store`, click `Snapshots`.
3. Select the snapshot you want to encrypt.
4. Click on `Actions` select `Copy`.
```
Confirm `Snapshot ID`
Set the `Destination Region`
Update the `Description`
Select the check box for `Encryption`
```
5. Check the box for `Encrypt this snapshot`.
6. Set the `Master Key`.
7. Click on `Copy`.
8. Repeat steps 3-7 for the snapshots that need to be encrypted.
9. Delete any of the unencrypted snapshots that are not longer needed.
Note: EBS snapshot volume encryption is configured per snapshot.
## Default Value
By default, EBS snapshots are not encrypted. Encryption must be explicitly enabled when creating or copying snapshots.
## References
1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-snapshots.html
3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-snapshot.html
4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/copy-snapshot.html
## CIS Controls
| Controls Version | Control | IG 1 | IG 2 | IG 3 |
| ---------------- | ------------------------------------------ | ---- | ---- | ---- |
| v8 | 3.11 Encrypt Sensitive Data at Rest | | x | x |
| v7 | 14.8 Encrypt Sensitive Information at Rest | | | x |
## Profile
Level 1 | AutomatedDel mismo repositorio
cis-aws-compute-10.1Skill
Ensure Managed Platform updates is configured
cis-aws-compute-10.2Skill
Ensure Persistent logs is setup and configured to S3
cis-aws-compute-10.3Skill
Ensure access logs are enabled
cis-aws-compute-10.4Skill
Ensure that HTTPS is enabled on load balancer
cis-aws-compute-11.1Skill
Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS
cis-aws-compute-12.1Skill
Ensure AWS Config is Enabled for Lambda and Serverless
cis-aws-compute-12.10Skill
Ensure Lambda functions do not allow unknown cross account access via permission policies
cis-aws-compute-12.11Skill
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates