EBS Volume Without KmsKeyId

• Query id: b7063015-6c31-4658-a8e7-14f98f37fd42
• Query name: EBS Volume Without KmsKeyId
• Platform: CloudFormation
• Severity: Medium
• Category: Secret Management
• URL: Github

Description

EBS Volume should specify a KmsKeyId value
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file

AWSTemplateFormatVersion: 2010-09-09
Description: Creating ECS service
Resources:
  NewVolume:
      Type: AWS::EC2::Volume
      Properties:
        Size: 100
        Encrypted: true
        AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
        Tags:
          - Key: MyTag
            Value: TagValue
      DeletionPolicy: Snapshot

Postitive test num. 2 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "Creating ECS service",
  "Resources": {
    "NewVolume": {
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "Size": 100,
        "Encrypted": true,
        "AvailabilityZone": "Ec2Instance.AvailabilityZone",
        "Tags": [
          {
            "Key": "MyTag",
            "Value": "TagValue"
          }
        ]
      },
      "DeletionPolicy": "Snapshot"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

AWSTemplateFormatVersion: 2010-09-09
Description: Creating ECS service
Resources:
  MyKey:
    Type: "AWS::KMS::Key"
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Id: key-default-1
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Join
                - ""
                - - "arn:aws:iam::"
                  - !Ref "AWS::AccountId"
                  - ":root"
            Action: "kms:*"
            Resource: "*"
  NewVolume:
      Type: AWS::EC2::Volume
      Properties:
        Size: 100
        Encrypted: true
        AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
        Tags:
          - Key: MyTag
            Value: TagValue
        KmsKeyId: !Ref MyKey
      DeletionPolicy: Snapshot

Negative test num. 2 - json file

{
  "Resources": {
    "MyKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "KeyPolicy": {
          "Version": "2012-10-17T00:00:00Z",
          "Id": "key-default-1",
          "Statement": [
            {
              "Sid": "Enable IAM User Permissions",
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "",
                  [
                    "arn:aws:iam::",
                    "AWS::AccountId",
                    ":root"
                  ]
                ]
              },
              "Action": "kms:*",
              "Resource": "*"
            }
          ]
        }
      }
    },
    "NewVolume": {
      "DeletionPolicy": "Snapshot",
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "KmsKeyId": "MyKey",
        "Size": 100,
        "Encrypted": true,
        "AvailabilityZone": "Ec2Instance.AvailabilityZone",
        "Tags": [
          {
            "Key": "MyTag",
            "Value": "TagValue"
          }
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "Creating ECS service"
}