AWS EBS volumes are not encrypted
Description
Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed. AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots. Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss. We recommend you encrypt all data stored in the EBS.
Code Example
resource "aws_ebs_volume" "example" {
...
availability_zone = "${var.availability_zone}"
+ encrypted = true
...
}Remediation
- AWS Console*
To change the policy using the AWS Console, follow these steps:
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the * https://console.aws.amazon.com/ec2/ [Amazon EC2 console]*.
. From the navigation bar, select * Region*.
. From the navigation pane, select * EC2 Dashboard*.
. In the upper-right corner of the page, select * Account Attributes*, then * Settings*.
. Under * EBS Storage*, select * Always encrypt new EBS volumes*.
. Click * Update*.
- CLI Command*
To always encrypt new EBS volumes, use the following command: [,bash]
aws ec2 --region & lt;REGION> enable-ebs-encryption-by-default
=== Fix - Buildtime
Terraform
- Resource: aws_ebs_volume
- Arguments: encrypted - (Optional) If true, the disk will be encrypted.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0058 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_3 |