Launch Configuration Is Not Encrypted

  • Query id: 66477506-6abb-49ed-803d-3fa174cd5f6a
  • Query name: Launch Configuration Is Not Encrypted
  • Platform: Ansible
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: note that encrypted volumes are only supported in >= Ansible 2.4
  community.aws.ec2_lc:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: ['group', 'group2' ]
    instance_type: t1.micro
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: no
- name: note that encrypted volumes are only supported in >= Ansible 2.4 v2
  ec2_lc:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: ['group', 'group2' ]
    instance_type: t1.micro
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
- name: note that encrypted volumes are only supported in >= Ansible 2.4 v3
  ec2_lc:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: ['group', 'group2' ]
    instance_type: t1.micro

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: note that encrypted volumes are only supported in >= Ansible 2.4 v4
  ec2_lc:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: yes
- name: note that encrypted volumes are only supported in >= Ansible 2.4 v5
  community.aws.ec2_lc:
    name: special
    image_id: ami-XXX
    key_name: default
    security_groups: [group, group2]
    instance_type: t1.micro
    volumes:
    - device_name: /dev/sda1
      volume_size: 100
      volume_type: io1
      iops: 3000
      delete_on_termination: true
      encrypted: yes