Block Device Is Not Encrypted
- Query id: 1f624961-9a18-4387-91c8-3856e1974b6f
- Query name: Block Device Is Not Encrypted
- Platform: Terraform
- Severity: High
- Category: Encryption
- CWE: 311
- Risk score: 6.0
- URL: Github
Description¶
Block device mappings for Launch Configurations and EC2 instances should mandate encryption of all attached EBS volumes to safeguard sensitive data. This is achieved by specifying the 'encrypted' parameter with a value of 'true' for each volume.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_launch_configuration" "example1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
user_data_base64 = "c29tZUtleQ==" # someKey
lifecycle {
create_before_destroy = true
}
ebs_block_device {
device_name = "/dev/xvda1"
}
}
resource "aws_launch_configuration" "example2" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
user_data_base64 = "c29tZUtleQ==" # someKey
lifecycle {
create_before_destroy = true
}
ebs_block_device {
device_name = "/dev/xvda1"
encrypted = false
}
}
resource "aws_launch_configuration" "example3" {
name = "test-launch-config"
root_block_device {
encrypted = false
}
}
Positive test num. 2 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
}
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
}
]
}
module "asg2" {
source = "terraform-aws-modules/autoscaling/aws"
version = "6.0"
block_device_mappings = [
{
ebs = { # Root device
volume_size = 50
volume_type = "gp2"
}
},
{
device_name = "/dev/xvdz" # EBS device
ebs = {
volume_size = 50
volume_type = "gp2"
delete_on_termination = true
}
}
]
}
Positive test num. 3 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
encrypted = false
}
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
}
]
}
module "asg2" {
source = "terraform-aws-modules/autoscaling/aws"
version = "6.0"
block_device_mappings = [
{
ebs = { # Root volume
volume_size = 50
volume_type = "gp2"
delete_on_termination = true
}
},
{
device_name = "/dev/xvdz" # Additional EBS volume
ebs = {
volume_size = 50
volume_type = "gp2"
delete_on_termination = true
encrypted = false
}
}
]
}
Positive test num. 4 - tf file
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
}
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
encrypted = false
}
]
}
module "asg2" {
source = "terraform-aws-modules/autoscaling/aws"
version = "6.0"
block_device_mappings = [
{
ebs = { # Root volume
volume_size = 50
volume_type = "gp2"
encrypted = false
}
},
{
device_name = "/dev/xvdz" # Additional EBS volume
ebs = {
volume_size = 50
volume_type = "gp2"
delete_on_termination = true
encrypted = false
}
}
]
}
Positive test num. 5 - tf file
resource "aws_instance" "example1" {
ami = "ami-074251216af698218"
instance_type = "t2.micro"
root_block_device {
delete_on_termination = true
encrypted = false
throughput = "0"
volume_size = "8"
volume_type = "gp2"
}
tags = {
Name = "web-app-instance"
}
}
resource "aws_instance" "example2" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
tags = {
Name = "positive5"
}
ebs_block_device {
device_name = "/dev/sdh"
volume_size = 10
volume_type = "gp3"
delete_on_termination = true
encrypted = false
}
}
Positive test num. 6 - tf file
resource "aws_instance" "example1" {
ami = "ami-074251216af698218"
instance_type = "t2.micro"
root_block_device {
throughput = "0"
volume_size = "8"
volume_type = "gp2"
}
tags = {
Name = "web-app-instance"
}
}
resource "aws_instance" "example2" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
tags = {
Name = "web-app-instance"
}
ebs_block_device {
device_name = "/dev/sdh"
volume_size = 10
volume_type = "gp3"
}
}
Positive test num. 7 - tf file
module "positive7-aws6" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
name = "web-app-instance"
ami = "ami-074251216af698218"
instance_type = "t2.micro"
root_block_device = {
delete_on_termination = true
encrypted = false
throughput = 0
volume_size = 8
volume_type = "gp2"
}
}
module "positive7-legacy" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 5.7"
name = "web-app-instance"
ami = "ami-074251216af698218"
instance_type = "t2.micro"
root_block_device = [
{
delete_on_termination = true
encrypted = false
throughput = 0
volume_size = 8
volume_type = "gp2"
}
]
}
Positive test num. 8 - tf file
module "positive8-aws6" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
name = "web-app-instance"
ami = "ami-074251216af698218"
instance_type = "t2.micro"
root_block_device = {
encrypted = false
throughput = 0
volume_size = 8
volume_type = "gp3"
}
}
module "positive8-legacy" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 5.7"
name = "web-app-instance"
ami = "ami-074251216af698218"
instance_type = "t2.micro"
root_block_device = [
{
encrypted = false
throughput = 0
volume_size = 8
volume_type = "gp3"
}
]
}
Positive test num. 9 - tf file
module "positive9-aws6" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
name = "web-app-instance"
ami = "ami-074251216af698218"
instance_type = "t2.micro"
root_block_device = {
throughput = 0
volume_size = 8
volume_type = "gp2"
}
}
module "positive9-legacy" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 5.7"
name = "web-app-instance"
ami = "ami-074251216af698218"
instance_type = "t2.micro"
root_block_device = [
{
throughput = 0
volume_size = 8
volume_type = "gp2"
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_launch_configuration" "negative1-1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "m4.large"
spot_price = "0.001"
user_data_base64 = "c29tZUtleQ==" # someKey
lifecycle {
create_before_destroy = true
}
ebs_block_device {
device_name = "/dev/xvda1"
encrypted = true
}
}
resource "aws_launch_configuration" "negative1-2" {
name = "test-launch-config"
ephemeral_block_device {
encrypted = false
}
}
Negative test num. 2 - tf file
module "negative2" {
source = "terraform-aws-modules/autoscaling/aws"
version = "6.0"
block_device_mappings = [
{
device_name = "/dev/xvda" # Root volume
ebs = {
volume_size = 50
volume_type = "gp2"
delete_on_termination = true
encrypted = true
}
},
{
device_name = "/dev/xvdz" # Additional EBS volume
ebs = {
volume_size = 50
volume_type = "gp2"
delete_on_termination = true
encrypted = true
}
}
]
}
module "negative2-legacy" {
source = "terraform-aws-modules/autoscaling/aws"
version = "1.0.4"
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
encrypted = true
}
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
encrypted = true
}
]
}
Negative test num. 3 - tf file
resource "aws_instance" "negative3-1" {
ami = "ami-074251216af698218"
instance_type = "t2.micro"
root_block_device {
delete_on_termination = true
encrypted = true
throughput = "0"
volume_size = "8"
volume_type = "gp2"
}
}
resource "aws_instance" "negative3-2" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
ebs_block_device {
device_name = "/dev/sdh"
volume_size = 10
volume_type = "gp3"
delete_on_termination = true
encrypted = true
}
}
Negative test num. 4 - tf file
module "negative4" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
root_block_device = {
delete_on_termination = true
encrypted = true
throughput = 0
volume_size = 8
volume_type = "gp2"
}
ebs_block_device {
device_name = "/dev/sdh"
volume_size = 10
volume_type = "gp3"
delete_on_termination = true
encrypted = true
}
}
module "negative4-legacy" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 5.0"
root_block_device = [
{
delete_on_termination = true
encrypted = true
volume_size = 8
volume_type = "gp2"
}
]
ebs_block_device = [
{
device_name = "/dev/sdh"
volume_size = 10
volume_type = "gp3"
delete_on_termination = true
encrypted = true
}
]
}