Amazon Elastic Block Store (EBS) is a block-storage service for Amazon Elastic Compute Cloud (EC2). EBS volumes can be encrypted, ensuring the
security of both data-at-rest and data-in-transit between an instance and its attached EBS storage. In the case that adversaries gain physical access
to the storage medium they are not able to access the data. Encryption can be enabled for specific volumes or for all new volumes and snapshots. Volumes created
from snapshots inherit their encryption configuration. A volume created from an encrypted snapshot will also be encrypted by default.
Ask Yourself Whether
- The disk contains sensitive data that could cause harm when leaked.
- There are compliance requirements for the service to store data encrypted.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to encrypt EBS volumes that contain sensitive information. Encryption and decryption are handled transparently by EC2, so no
further modifications to the application are necessary. Instead of enabling encryption for every volume, it is also possible to enable encryption
globally for a specific region. While creating volumes from encrypted snapshots will result in them being encrypted, explicitly enabling this security
parameter will prevent any future unexpected security downgrade.
Sensitive Code Example
For aws_ebs_volume:
resource "aws_ebs_volume" "ebs_volume" { # Sensitive as encryption is disabled by default
}
resource "aws_ebs_volume" "ebs_volume" {
encrypted = false # Sensitive
}
For aws_ebs_encryption_by_default:
resource "aws_ebs_encryption_by_default" "default_encryption" {
enabled = false # Sensitive
}
For aws_launch_configuration:
resource "aws_launch_configuration" "launch_configuration" {
root_block_device { # Sensitive as encryption is disabled by default
}
ebs_block_device { # Sensitive as encryption is disabled by default
}
}
resource "aws_launch_configuration" "launch_configuration" {
root_block_device {
encrypted = false # Sensitive
}
ebs_block_device {
encrypted = false # Sensitive
}
}
Compliant Solution
For aws_ebs_volume:
resource "aws_ebs_volume" "ebs_volume" {
encrypted = true
}
For aws_ebs_encryption_by_default:
resource "aws_ebs_encryption_by_default" "default_encryption" {
enabled = true # Optional, default is "true"
}
For aws_launch_configuration:
resource "aws_launch_configuration" "launch_configuration" {
root_block_device {
encrypted = true
}
ebs_block_device {
encrypted = true
}
}
See
