Amazon Linux 2023 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273994 | AZLX-23-000100 | SV-273994r1119970_rule | CCI-001199 | high |
| Description | ||||
| Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184 | ||||
| STIG | Date | |||
| Amazon Linux 2023 Security Technical Implementation Guide | 2026-02-27 | |||
Details
Check Text (C-273994r1119970_chk)
Verify Amazon Linux 2023 is configured so that all partitions are encrypted with the following command:
$ sudo blkid
/dev/xvda1: UUID="ed0acbe9-bd05-495e-a9ac-cb615b29327d" TYPE="crypto_LUKS"
Every persistent disk partition present must be of "Type" "crypto_LUKS".
If any partitions other than the boot partition, bios partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", this is a finding.
Fix Text (F-77990r1119969_fix)
Configure Amazon Linux 2023 to protect the confidentiality and integrity of all information at rest.
Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed.
To encrypt an entire partition, dedicate a partition for encryption in the partition layout.