AWS EBS volume is not encrypted
ID |
ebs_volume_unencrypted |
Severity |
critical |
Vendor |
AWS |
Resource |
EBS |
Tags |
reachable |
Description
Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with EC2 instances. EBS volumes behave like raw, unformatted block devices. You can mount these volumes as devices on your instances. EBS volumes that are attached to an instance are exposed as storage volumes that persist independently from the life of the instance.
Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed.
AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots. Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
This detector enforces to encrypt all data stored in the EBS.
Examples
CloudFormation
{
"Resources": {
"MyVolume": { (1)
"Type": "AWS::EC2::Volume",
"Properties": {
"AvailabilityZone": {
"Ref": "AvailabilityZone"
},
"AutoEnableIO": true
}
}
}
}| 1 | No Encrypted attribute means no encryption. |
Resources:
MyVolume: (1)
Type: AWS::EC2::Volume
Properties:
AvailabilityZone: !Ref AvailabilityZone
AutoEnableIO: true
Encrypted: false| 1 | No Encrypted attribute means no encryption. |
Terraform
resource "aws_ebs_volume" "my_volume" { (1)
availability_zone = "${var.availability_zone}"
size = 40
tags = {
Name = "HelloWorld"
}
}
# ... or ...
resource "aws_ebs_volume" "my_volume" {
availability_zone = "${var.availability_zone}"
size = 40
tags = {
Name = "HelloWorld"
}
encrypted = false (2)
}| 1 | Implicitly unencrypted (encrypted = false by default) |
| 2 | Explicitly unencrypted |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"MyVolume": { (1)
"Type": "AWS::EC2::Volume",
"Properties": {
"AvailabilityZone": {
"Ref": "AvailabilityZone"
},
"AutoEnableIO": true,
"Encrypted": true
}
}
}
}| 1 | Add Encrypted: true to enable encryption. |
Resources:
MyVolume: (1)
Type: AWS::EC2::Volume
Properties:
AvailabilityZone: !Ref AvailabilityZone
AutoEnableIO: true
Encrypted: true| 1 | Add Encrypted: true to enable encryption. |
Terraform
resource "aws_ebs_volume" "my_volume" {
availability_zone = "${var.availability_zone}"
size = 40
tags = {
Name = "HelloWorld"
}
encrypted = false # FIXED
}Please note that there is no direct way to encrypt existing unencrypted EBS volumes or snapshots; you may need to recreate the volume with encryption enabled.
| To avoid configuration drift, you should create EBS volumes with encryption enabled in the IaC template. |
You may use the aws command for enabling encryption for all EBS volumes at a given region:
aws ec2 --region <REGION> enable-ebs-encryption-by-defaultRead "Automatically encrypt existing and new Amazon EBS volumes" for more details on how to force automatically EBS encryption.