Block Device Is Not Encrypted
- Query id: 40078463-6806-4bc0-b86e-7f121df601c1
- Query name: Block Device Is Not Encrypted
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- CWE: 311
- Risk score: 6.0
- URL: Github
Description¶
Block device mappings for Launch Configurations and EC2 instances should mandate encryption of all attached EBS volumes to safeguard sensitive data. This is achieved by specifying the 'encrypted' parameter with a value of 'true' for each volume.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0c55b159cbfafe1f0",
"InstanceType": "t2.micro",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 8,
"Encrypted": false
}
}
]
}
}
}
}
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0c55b159cbfafe1f0
InstanceType: t2.micro
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: 8
Encrypted: "false"
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyLaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"ImageId": "ami-0c55b159cbfafe1f0",
"InstanceType": "t2.micro",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 8,
"Encrypted": "false"
}
}
]
}
}
}
}
Positive test num. 4 - yaml file
Positive test num. 5 - yaml file
Positive test num. 6 - json file
Positive test num. 7 - yaml file
Positive test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyLaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"ImageId": "ami-0c55b159cbfafe1f0",
"InstanceType": "t2.micro",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 8,
"Encrypted": false
}
}
]
}
}
}
}
Positive test num. 9 - yaml file
Positive test num. 10 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyLaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"ImageId": "ami-0c55b159cbfafe1f0",
"InstanceType": "t2.micro",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 8
}
}
]
}
}
}
}
Positive test num. 11 - yaml file
Positive test num. 12 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0c55b159cbfafe1f0",
"InstanceType": "t2.micro",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 8,
"Encrypted": "false"
}
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0c55b159cbfafe1f0",
"InstanceType": "t2.micro",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 8,
"Encrypted": true
}
}
]
}
}
}
}
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0c55b159cbfafe1f0
InstanceType: t2.micro
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: 8
Encrypted: true
Negative test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyLaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"ImageId": "ami-0c55b159cbfafe1f0",
"InstanceType": "t2.micro",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 8,
"Encrypted": true
}
}
]
}
}
}
}
Negative test num. 4 - yaml file
Negative test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0c55b159cbfafe1f0",
"InstanceType": "t2.micro",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 8,
"Encrypted": "true"
}
}
]
}
}
}
}
Negative test num. 6 - yaml file
Negative test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyLaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"ImageId": "ami-0c55b159cbfafe1f0",
"InstanceType": "t2.micro",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 8,
"Encrypted": "true"
}
}
]
}
}
}
}