EBS Volume Encryption Disabled

  • Query id: 80b7ac3f-d2b7-4577-9b10-df7913497162
  • Query name: EBS Volume Encryption Disabled
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

EBS volumes should be encrypted
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Volume"
Resources:
  NewVolume:
    Type: AWS::EC2::Volume
    Properties:
      Size: 100
      Encrypted: false
      AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
      Tags:
        - Key: MyTag
          Value: TagValue
    DeletionPolicy: Snapshot
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Volume 02"
Resources:
  NewVolume02:
    Type: AWS::EC2::Volume
    Properties:
      Size: 100
      AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
      Tags:
        - Key: MyTag
          Value: TagValue
    DeletionPolicy: Snapshot
Positive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Volume",
  "Resources": {
    "NewVolume": {
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "Tags": [
          {
            "Key": "MyTag",
            "Value": "TagValue"
          }
        ],
        "Size": 100,
        "Encrypted": false,
        "AvailabilityZone": "Ec2Instance.AvailabilityZone"
      },
      "DeletionPolicy": "Snapshot"
    }
  }
}

Positive test num. 4 - json file 
{
  "Description": "Volume 02",
  "Resources": {
    "NewVolume02": {
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "Size": 100,
        "AvailabilityZone": "Ec2Instance.AvailabilityZone",
        "Tags": [
          {
            "Key": "MyTag",
            "Value": "TagValue"
          }
        ]
      },
      "DeletionPolicy": "Snapshot"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Volume"
Resources:
  NewVolume:
    Type: AWS::EC2::Volume
    Properties:
      Size: 100
      Encrypted: true
      AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
      Tags:
        - Key: MyTag
          Value: TagValue
    DeletionPolicy: Snapshot
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Volume",
  "Resources": {
    "NewVolume": {
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "Encrypted": true,
        "AvailabilityZone": "Ec2Instance.AvailabilityZone",
        "Tags": [
          {
            "Key": "MyTag",
            "Value": "TagValue"
          }
        ],
        "Size": 100
      },
      "DeletionPolicy": "Snapshot"
    }
  }
}