Amazon Linux 2023 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-273994 | SRG-OS-000185-GPOS-00079 | AZLX-23-000100 | SV-273994r1119970_rule | 2025-07-15 | 1 |
| Description |
|---|
| Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184 |
| ℹ️ Check |
|---|
| Verify Amazon Linux 2023 is configured so that all partitions are encrypted with the following command: $ sudo blkid /dev/xvda1: UUID="ed0acbe9-bd05-495e-a9ac-cb615b29327d" TYPE="crypto_LUKS" Every persistent disk partition present must be of "Type" "crypto_LUKS". If any partitions other than the boot partition, bios partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", this is a finding. |
| ✔️ Fix |
|---|
| Configure Amazon Linux 2023 to protect the confidentiality and integrity of all information at rest. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. |