EBS Volume Without KmsKeyId
- Query id: b7063015-6c31-4658-a8e7-14f98f37fd42
- Query name: EBS Volume Without KmsKeyId
- Platform: CloudFormation
- Severity: Medium
- Category: Secret Management
- URL: Github
Description¶
EBS Volume should specify a KmsKeyId value
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Creating ECS service
Resources:
NewVolume:
Type: AWS::EC2::Volume
Properties:
Size: 100
Encrypted: true
AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
Tags:
- Key: MyTag
Value: TagValue
DeletionPolicy: Snapshot
Postitive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating ECS service",
"Resources": {
"NewVolume": {
"Type": "AWS::EC2::Volume",
"Properties": {
"Size": 100,
"Encrypted": true,
"AvailabilityZone": "Ec2Instance.AvailabilityZone",
"Tags": [
{
"Key": "MyTag",
"Value": "TagValue"
}
]
},
"DeletionPolicy": "Snapshot"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Creating ECS service
Resources:
MyKey:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
NewVolume:
Type: AWS::EC2::Volume
Properties:
Size: 100
Encrypted: true
AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
Tags:
- Key: MyTag
Value: TagValue
KmsKeyId: !Ref MyKey
DeletionPolicy: Snapshot
Negative test num. 2 - json file
{
"Resources": {
"MyKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Version": "2012-10-17T00:00:00Z",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"",
[
"arn:aws:iam::",
"AWS::AccountId",
":root"
]
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"NewVolume": {
"DeletionPolicy": "Snapshot",
"Type": "AWS::EC2::Volume",
"Properties": {
"KmsKeyId": "MyKey",
"Size": 100,
"Encrypted": true,
"AvailabilityZone": "Ec2Instance.AvailabilityZone",
"Tags": [
{
"Key": "MyTag",
"Value": "TagValue"
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating ECS service"
}