Launch Configuration Is Not Encrypted
- Query id: 4de9de27-254e-424f-bd70-4c1e95790838
- Query name: Launch Configuration Is Not Encrypted
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: Ongoing
- URL: Github
Description¶
Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_launch_configuration" "positive1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
user_data_base64 = "c29tZUtleQ==" # someKey
lifecycle {
create_before_destroy = true
}
ebs_block_device {
device_name = "/dev/xvda1"
}
}
resource "aws_launch_configuration" "positive2" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
user_data_base64 = "c29tZUtleQ==" # someKey
lifecycle {
create_before_destroy = true
}
ebs_block_device {
device_name = "/dev/xvda1"
encrypted = false
}
}
resource "aws_launch_configuration" "positive3" {
name = "test-launch-config"
root_block_device {
encrypted = false
}
}
Positive test num. 2 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
# Launch configuration
lc_name = "example-lc"
image_id = "ami-ebd02392"
instance_type = "t2.micro"
security_groups = ["sg-12345678"]
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
}
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
}
]
# Auto scaling group
asg_name = "example-asg"
vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"]
health_check_type = "EC2"
min_size = 0
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = 0
tags = [
{
key = "Environment"
value = "dev"
propagate_at_launch = true
},
{
key = "Project"
value = "megasecret"
propagate_at_launch = true
},
]
}
Positive test num. 3 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
# Launch configuration
lc_name = "example-lc"
image_id = "ami-ebd02392"
instance_type = "t2.micro"
security_groups = ["sg-12345678"]
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
encrypted = false
}
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
}
]
# Auto scaling group
asg_name = "example-asg"
vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"]
health_check_type = "EC2"
min_size = 0
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = 0
tags = [
{
key = "Environment"
value = "dev"
propagate_at_launch = true
},
{
key = "Project"
value = "megasecret"
propagate_at_launch = true
},
]
}
Positive test num. 4 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
# Launch configuration
lc_name = "example-lc"
image_id = "ami-ebd02392"
instance_type = "t2.micro"
security_groups = ["sg-12345678"]
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
}
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
encrypted = false
}
]
# Auto scaling group
asg_name = "example-asg"
vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"]
health_check_type = "EC2"
min_size = 0
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = 0
tags = [
{
key = "Environment"
value = "dev"
propagate_at_launch = true
},
{
key = "Project"
value = "megasecret"
propagate_at_launch = true
},
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_launch_configuration" "negative1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
user_data_base64 = "c29tZUtleQ==" # someKey
lifecycle {
create_before_destroy = true
}
ebs_block_device {
device_name = "/dev/xvda1"
encrypted = true
}
}
resource "aws_launch_configuration" "negative2" {
name = "test-launch-config"
ephemeral_block_device {
encrypted = false
}
}
Negative test num. 2 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
# Launch configuration
lc_name = "example-lc"
image_id = "ami-ebd02392"
instance_type = "t2.micro"
security_groups = ["sg-12345678"]
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
encrypted = true
}
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
encrypted = true
}
]
# Auto scaling group
asg_name = "example-asg"
vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"]
health_check_type = "EC2"
min_size = 0
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = 0
tags = [
{
key = "Environment"
value = "dev"
propagate_at_launch = true
},
{
key = "Project"
value = "megasecret"
propagate_at_launch = true
},
]
}