Launch configurations do not have encrypted EBS volumes

ID

launch_config_ebs_unencrypted

Severity

critical

Vendor

AWS

Resource

EBS

Tags

reachable

Description

Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling. When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.

This detector reports AWS instances or launch configurations whose root block device or EBS block device is not (explicitly) encrypted.

Please note that, when using a device based on an snapshot (using the snapshot_id attribute), the encryption will be determined by the snapshot itself, and the detector cannot know the encryption state.

Examples

CloudFormation

{
  "Resources": {
    "AutoScalingConfig": {
      "Type": "AWS::AutoScaling::LaunchConfiguration",
      "Properties": {
        "ImageId": "ami-0ff8a91507f77f867",
        "SecurityGroups": [
          "myExistingEC2SecurityGroup"
        ],
        "InstanceType": "m1.small",
        "BlockDeviceMappings": [
          {
            "DeviceName": "/dev/sdk",
            "Ebs": { (1)
              "VolumeSize": 50
            }
          },
          {
            "DeviceName": "/dev/sdf",
            "Ebs": {
              "Encrypted": false (2)
            }
          }
        ]
      }
    }
  }
}
1 Encryption is disabled implicitly. The Encrypted attribute defaults to false.
2 EBS device with encryption explicitly disabled. 
Resources:
  AutoScalingConfig:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: ami-0ff8a91507f77f867
      SecurityGroups:
      - myExistingEC2SecurityGroup
      InstanceType: m1.small
      BlockDeviceMappings:
      - DeviceName: "/dev/sdk"
        Ebs: (1)
          VolumeSize: 50
      - DeviceName: "/dev/sdf"
        Ebs:
          Encrypted: false (2)
1 Encryption is disabled implicitly. The Encrypted attribute defaults to false.
2 EBS device with encryption explicitly disabled.

Terraform

The following AWS instance will be reported as flawed:

resource "aws_instance" "my_instance" {
  ami           = var.ami_id
  instance_type = var.instance_type
  key_name      = var.key_name

  root_block_device { (1)
    volume_type = "gp2"
    volume_size = var.root_volume_size
  }

  ebs_block_device {
    volume_type = "gp2"
    volume_size = var.ebs_volume_size
    device_name = "/dev/xvdb"
    encrypted   = false (2)
  }
}
1 Encryption is disabled implicitly. The encrypted attribute defaults to false. Reported also for boot device.
2 EBS device with encryption explicitly disabled.

Another flaw on a launch configuration for autoscaling group, with no encryption on the root or EBS block device:

resource "aws_launch_configuration" "launch_conf" {
  name_prefix                 = "elk"
  image_id                    = data.aws_ami.elk.image_id
  iam_instance_profile        = aws_iam_instance_profile.elk.name
  instance_type               = var.instance_type
  security_groups             = [aws_security_group.elk.id]
  associate_public_ip_address = false

  lifecycle {
    create_before_destroy = true
  }

  root_block_device {
    encrypted = false (1)
    // ...
  }
  metadata_options {
    http_endpoint = "enabled"
    http_tokens   = "required"
  }
}

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "AutoScalingConfig": { (1)
      "Type": "AWS::AutoScaling::LaunchConfiguration",
      "Properties": {
        "ImageId": "ami-0ff8a91507f77f867",
        "SecurityGroups": [
          "myExistingEC2SecurityGroup"
        ],
        "InstanceType": "m1.small",
        "BlockDeviceMappings": [
          {
            "DeviceName": "/dev/sdk",
            "Ebs": {
              "VolumeSize": 50,
              "Encrypted": true
            }
          },
          {
            "DeviceName": "/dev/sdf",
            "Ebs": {
              "Encrypted": true
            }
          }
        ]
      }
    }
  }
}
1 Encrypted attribute is set to true for both volumes. 
Resources:
  AutoScalingConfig: (1)
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: ami-0ff8a91507f77f867
      SecurityGroups:
      - myExistingEC2SecurityGroup
      InstanceType: m1.small
      BlockDeviceMappings:
      - DeviceName: "/dev/sdk"
        Ebs:
          VolumeSize: 50
          Encrypted: true
      - DeviceName: "/dev/sdf"
        Ebs:
          Encrypted: true
1 Encrypted attribute is set to true for both volumes.

Terraform

resource "aws_instance" "my_instance" {
  ami           = var.ami_id
  instance_type = var.instance_type
  key_name      = var.key_name

  root_block_device {
    volume_type = "gp2"
    volume_size = var.root_volume_size
    encrypted   = true // FIXED
  }

  ebs_block_device {
    volume_type = "gp2"
    volume_size = var.ebs_volume_size
    device_name = "/dev/xvdb"
    encrypted   = true // FIXED
  }
}

Setting encryption for boot/EBS volumes for the launch configuration is similar:

resource "aws_launch_configuration" "launch_conf" {
  name_prefix                 = "elk"
  image_id                    = data.aws_ami.elk.image_id
  iam_instance_profile        = aws_iam_instance_profile.elk.name
  instance_type               = var.instance_type
  security_groups             = [aws_security_group.elk.id]
  associate_public_ip_address = false

  lifecycle {
    create_before_destroy = true
  }

  root_block_device {
    encrypted = true // FIXED
    // ...
  }
  metadata_options {
    http_endpoint = "enabled"
    http_tokens   = "required"
  }
}