Unencrypted EBS Volumes High

Instances and Launch configurations with unencrypted EBS volumes is detected. Ensure that encryption should be implemented to enhance security of data stored in the launch configuration EBS.

Detector ID
terraform/unencrypted-ebs-volumes-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_launch_configuration" "demo" {
2  associate_public_ip_address = true
3  iam_instance_profile = aws_iam_instance_profile.demo-node.name
4  image_id = data.aws_ami.eks-worker.id
5  instance_type = "t2.large"
6  name_prefix = "terraform-eks-demo"
7  security_groups = [aws_security_group.demo-node.id]
8  user_data_base64 = base64encode(local.demo-node-userdata)
9  metadata_options {
10    http_endpoint = "enabled"
11    http_tokens   = "required"
12  }
13  # Noncompliant: All data stored in the Launch configuration or instance Elastic Blocks Store is not encrypted.
14  lifecycle {
15    create_before_destroy = true
16  }
17}

Compliant example

1resource "aws_launch_configuration" "demo" {
2  associate_public_ip_address = true
3  iam_instance_profile = aws_iam_instance_profile.demo-node.name
4  image_id = data.aws_ami.eks-worker.id
5  instance_type = "t2.large"
6  name_prefix = "terraform-eks-demo"
7  security_groups = [aws_security_group.demo-node.id]
8  user_data_base64 = base64encode(local.demo-node-userdata)
9  metadata_options {
10    http_endpoint = "enabled"
11    http_tokens   = "required"
12  }
13  # Compliant: All data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted.
14  root_block_device {
15    encrypted     = true
16  }
17  lifecycle {
18    create_before_destroy = true
19  }
20}