EBS volume is not encrypted Affecting EBS service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Data/ Access

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
AWS-Well-ArchitectedCIS-AWSCIS-ControlsCSA-CCMGDPRHIPAAISO-27001NIST-800-53PCI-DSSSOC-2
  • Snyk IDSNYK-CC-00016
  • creditSnyk Research Team

Description

Enabling encryption on EBS volumes protects data at rest inside the volume, data in transit between the volume and the instance, snapshots created from the volume, and volumes created from those snapshots. When encryption is enabled, an AWS managed KMS key is used by default, or you can supply your own symmetric customer managed KMS key.

How to fix?

Set the aws_ebs_volume encrypted field to true.

If encrypting with a customer managed KMS key, kms_key_id should be set to the KMS key ARN.

Example Configuration

resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
  encrypted         = true
}