Team Project

Led by: Engr. Oluebube Nwadike & Engr. Kosisochukwu Benjamin

Project Description:

This project demonstrates how AWS Config can detect and enforce compliance for key cloud security best practices. Three security controls were tested in a live AWS environment, each starting in a NON_COMPLIANT state, then remediated to achieve COMPLIANT status.

The focus areas were:

  1. EBS Volume Encryption (encrypted-volumes) – Showcasing the importance of data-at-rest encryption by detecting unencrypted storage volumes, then remediating via encrypted snapshot and volume replacement.
  2. EC2 Instance SSH Restricted (restricted-ssh) – Highlighting network security by detecting overly permissive SSH access (0.0.0.0/0) and restricting it to trusted IP addresses.
  3. Root Account MFA Enabled (root-account-mfa-enabled) – Demonstrating account hardening by enabling Multi-Factor Authentication (MFA) on the AWS root account to prevent unauthorized access.

By completing these exercises, the project validates AWS Config’s role in continuous compliance monitoring and automated policy enforcement, ensuring that cloud environments align with security best practices.

Section 1 – EBS Volume Encryption (encrypted-volumes)

Situation:

In a cloud environment, unencrypted EBS volumes pose a data security risk because they allow unauthorized parties to potentially access sensitive information at rest. AWS Config provides the encrypted-volumes rule to monitor compliance for encryption.

Task:

Deliberately create an unencrypted EBS volume to trigger a NON_COMPLIANT status in AWS Config, then remediate by enabling encryption, ensuring the environment meets security best practices.

Action:

  1. Launched an EC2 instance named Test-Unencrypted-Volume with encryption disabled in the storage settings.

  2. Opened AWS Config, searched for encrypted-volumes, and verified the instance was flagged as NON_COMPLIANT.

    📸 Screenshot 1 – NON_COMPLIANT status in AWS Config.

    v3.PNG

  3. Stopped the EC2 instance, created an encrypted snapshot from the unencrypted volume, and generated a new encrypted volume.