Objectives: Create an EC2 instance with an unencrypted EBS volume. Show how AWS Config marks it as non-compliant, and then fix it by using encryption at creation or modifying via snapshot.

Step 1: Create EC2 Instance with Unencrypted EBS Volume

• Log into your AWS Management Console and search for EC2 on the search bar.

• On the EC2 Console, Click in Launch Instance. Here we’ll fill in the name [Pod3_Digital] and select an AMI [Amazon Linux].

  

• Choose the instance type [t3.micro], and then create a key pair [Key_pod3]. Leave other settings on default and select Create key pair

  

• Under Network Settings, choose your VPC [pod3vpc] and Subnet [Public Subnet], and then enable Auto-assign public IP

  

• Under Storage, click on edit and change Encrypted to not Encrypted. This would ensure that the EBS volume remains unencrypted

  

• Leave all other settings as default and launch the instance

  

Step 2: AWS Config marks volume as Non-Compliant

• Now go to AWS Config, select Rules, and then click on Add Rule. Search for encrypted-volumes, select it and click on Next

  

• Leave all other settings as default and then Review and Create.

  

• After a few seconds, click on the new rule and you should see non-compliant EBS volume

  

Step 3: Fix the Non-Compliant Volume

• Here you can either fix the non-compliance by creating a snapshot or by relaunching the EC2 Instance but with encrypted volume this time

• So, going with the latter, terminate the unencrypted EC2 Instance [Pod3_Digital] and launch a new one

  

• Repeat the steps in creating the new Instance [pod_Digital], but this time ensure that Encrypted is set on Encrypted

  

• Instance successfully created