{
    "Behavior": "PROACTIVE",
    "ComplianceFrameworkMappings": [
        {
            "ComplianceFramework": "NIST 800-53 Rev 5",
            "Ids": [
                "CA-9(1)",
                "CM-3(6)",
                "SC-13",
                "SC-28",
                "SC-28(1)",
                "SC-7(10)",
                "SI-7(6)"
            ]
        },
        {
            "ComplianceFramework": "PCI DSS version 3.2.1",
            "Ids": [
                "2.2",
                "3.4",
                "8.2.1"
            ]
        }
    ],
    "ConfigRuleIdentifier": "ENCRYPTED_VOLUMES",
    "ControlOwner": "AWS Control Tower",
    "DeploymentMechanism": "AWS CloudFormation Hook",
    "DeploymentOwner": "AWS Control Tower",
    "Description": "This control checks whether your standalone Amazon EC2 EBS volume and Amazon EBS volume created through an EC2 instance Block Device Mapping are encrypted at rest. Specifically, it checks that the Encrypted property is set to true in either the EBS volume resource definition or an EC2 instance resource definition's BlockDeviceMappings property.",
    "DisplayName": "Require an Amazon EBS volume resource to be encrypted at rest when defined by means of the AWS::EC2::Instance BlockDeviceMappings property or AWS::EC2::Volume resource type",
    "DocumentationReferences": [
        {
            "DisplayName": "Amazon EBS encryption",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html"
        }
    ],
    "EvaluatedResourceTypes": [
        "AWS::EC2::Instance",
        "AWS::EC2::Volume"
    ],
    "EvaluatedServices": [
        "Amazon EC2"
    ],
    "Groups": [
        "digital-sovereignty"
    ],
    "Guidance": "Elective",
    "Id": "CT.EC2.PR.7",
    "ImplementationType": "CloudFormation guard rule",
    "MinimumSupportedRuntimeVersion": "2.1",
    "Objectives": [
        {
            "Id": "CO.2",
            "Name": "Encrypt data at rest"
        }
    ],
    "RegionalPreference": "REGIONAL",
    "Relationships": [
        {
            "ControlId": "SH.EC2.3",
            "ControlOwner": "AWS Security Hub",
            "RelationshipType": "Can be used with (Inclusive)"
        }
    ],
    "ReleaseDate": "2022-11-28",
    "RemediationMessage": "Set 'Encryption' to true on EC2 EBS Volumes.",
    "Severity": "MEDIUM",
    "SupportedRegions": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-northeast-3",
        "ap-south-1",
        "ap-south-2",
        "ap-southeast-1",
        "ap-southeast-2",
        "ap-southeast-3",
        "ap-southeast-4",
        "ca-central-1",
        "eu-central-1",
        "eu-central-2",
        "eu-north-1",
        "eu-south-1",
        "eu-south-2",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "il-central-1",
        "me-central-1",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-west-1",
        "us-west-2"
    ],
    "TargetOuType": "CUSTOM",
    "Version": "2",
    "Visibility": "PUBLIC"
}