Launch Configuration Is Not Encrypted

  • Query id: 4de9de27-254e-424f-bd70-4c1e95790838
  • Query name: Launch Configuration Is Not Encrypted
  • Platform: Terraform
  • Severity: High
  • Category: Encryption
  • CWE: Ongoing
  • URL: Github


Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_launch_configuration" "positive1" {
  image_id      =
  instance_type = "m4.large"
  spot_price    = "0.001"
  user_data_base64 = "c29tZUtleQ==" # someKey

  lifecycle {
    create_before_destroy = true

  ebs_block_device {
    device_name = "/dev/xvda1"

resource "aws_launch_configuration" "positive2" {
  image_id      =
  instance_type = "m4.large"
  spot_price    = "0.001"
  user_data_base64 = "c29tZUtleQ==" # someKey

  lifecycle {
    create_before_destroy = true

  ebs_block_device {
    device_name = "/dev/xvda1"
    encrypted = false

resource "aws_launch_configuration" "positive3" {
  name = "test-launch-config"

  root_block_device {
    encrypted = false
Positive test num. 2 - tf file
module "asg" {
  source = "terraform-aws-modules/autoscaling/aws"
  version = "1.0.4"

  # Launch configuration
  lc_name = "example-lc"

  image_id        = "ami-ebd02392"
  instance_type   = "t2.micro"
  security_groups = ["sg-12345678"]

  ebs_block_device = [
      device_name           = "/dev/xvdz"
      volume_type           = "gp2"
      volume_size           = "50"
      delete_on_termination = true

  root_block_device = [
      volume_size = "50"
      volume_type = "gp2"

  # Auto scaling group
  asg_name                  = "example-asg"
  vpc_zone_identifier       = ["subnet-1235678", "subnet-87654321"]
  health_check_type         = "EC2"
  min_size                  = 0
  max_size                  = 1
  desired_capacity          = 1
  wait_for_capacity_timeout = 0

  tags = [
      key                 = "Environment"
      value               = "dev"
      propagate_at_launch = true
      key                 = "Project"
      value               = "megasecret"
      propagate_at_launch = true
Positive test num. 3 - tf file
module "asg" {
  source = "terraform-aws-modules/autoscaling/aws"
  version = "1.0.4"

  # Launch configuration
  lc_name = "example-lc"

  image_id        = "ami-ebd02392"
  instance_type   = "t2.micro"
  security_groups = ["sg-12345678"]

  ebs_block_device = [ 
      device_name           = "/dev/xvdz"
      volume_type           = "gp2"
      volume_size           = "50"
      delete_on_termination = true
      encrypted             = false

  root_block_device = [ 
      volume_size = "50"
      volume_type = "gp2"

  # Auto scaling group
  asg_name                  = "example-asg"
  vpc_zone_identifier       = ["subnet-1235678", "subnet-87654321"]
  health_check_type         = "EC2"
  min_size                  = 0
  max_size                  = 1
  desired_capacity          = 1
  wait_for_capacity_timeout = 0

  tags = [
      key                 = "Environment"
      value               = "dev"
      propagate_at_launch = true
      key                 = "Project"
      value               = "megasecret"
      propagate_at_launch = true

Positive test num. 4 - tf file
module "asg" {
  source = "terraform-aws-modules/autoscaling/aws"
  version = "1.0.4"

  # Launch configuration
  lc_name = "example-lc"

  image_id        = "ami-ebd02392"
  instance_type   = "t2.micro"
  security_groups = ["sg-12345678"]

  ebs_block_device = [
      device_name           = "/dev/xvdz"
      volume_type           = "gp2"
      volume_size           = "50"
      delete_on_termination = true

  root_block_device = [
      volume_size = "50"
      volume_type = "gp2"
      encrypted   = false

  # Auto scaling group
  asg_name                  = "example-asg"
  vpc_zone_identifier       = ["subnet-1235678", "subnet-87654321"]
  health_check_type         = "EC2"
  min_size                  = 0
  max_size                  = 1
  desired_capacity          = 1
  wait_for_capacity_timeout = 0

  tags = [
      key                 = "Environment"
      value               = "dev"
      propagate_at_launch = true
      key                 = "Project"
      value               = "megasecret"
      propagate_at_launch = true

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_launch_configuration" "negative1" {
  image_id      =
  instance_type = "m4.large"
  spot_price    = "0.001"
  user_data_base64 = "c29tZUtleQ==" # someKey

  lifecycle {
    create_before_destroy = true

  ebs_block_device {
    device_name = "/dev/xvda1"
    encrypted = true

resource "aws_launch_configuration" "negative2" {
  name = "test-launch-config"

  ephemeral_block_device {
    encrypted = false
Negative test num. 2 - tf file
module "asg" {
  source = "terraform-aws-modules/autoscaling/aws"
  version = "1.0.4"

  # Launch configuration
  lc_name = "example-lc"

  image_id        = "ami-ebd02392"
  instance_type   = "t2.micro"
  security_groups = ["sg-12345678"]

  ebs_block_device = [
      device_name           = "/dev/xvdz"
      volume_type           = "gp2"
      volume_size           = "50"
      delete_on_termination = true
      encrypted             = true

  root_block_device = [ 
      volume_size = "50"
      volume_type = "gp2"
      encrypted   = true

  # Auto scaling group
  asg_name                  = "example-asg"
  vpc_zone_identifier       = ["subnet-1235678", "subnet-87654321"]
  health_check_type         = "EC2"
  min_size                  = 0
  max_size                  = 1
  desired_capacity          = 1
  wait_for_capacity_timeout = 0

  tags = [
      key                 = "Environment"
      value               = "dev"
      propagate_at_launch = true
      key                 = "Project"
      value               = "megasecret"
      propagate_at_launch = true