Autoscaling launch configuration has no data in the volumes encrypted

ID

aws_ec2_config_not_encrypted

Severity

high

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

Autoscaling launch configuration has no data in the volumes encrypted. The data in the volumes is not encrypted. A user with access to the volumes could see the data in plain text.

To fix it you must configure volumes.encrypted=true.

Learn more about this topic at AWS Autoscaling Launch configuration.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create a launch configuration with an encrypted volume
      community.aws.autoscaling_launch_config:
        name: special
        image_id: ami-XXX
        key_name: default
        security_groups: [ 'group', 'group2' ]
        instance_type: t1.micro
        volumes:
          - device_name: /dev/sda1
            volume_size: 100
            volume_type: io1
            iops: 3000
            delete_on_termination: true
            encrypted: false
          - device_name: /dev/sdb
            ephemeral: ephemeral0

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create a launch configuration with an encrypted volume
      community.aws.autoscaling_launch_config:
        name: special
        image_id: ami-XXX
        key_name: default
        security_groups: [ 'group', 'group2' ]
        instance_type: t1.micro
        volumes:
          - device_name: /dev/sda1
            volume_size: 100
            volume_type: io1
            iops: 3000
            delete_on_termination: true
            encrypted: true
          - device_name: /dev/sdb
            ephemeral: ephemeral0
            encrypted: true