Ensure only encrypted EBS volumes are attached to EC2 instances

Error: Not only encrypted EBS volumes are attached to EC2 instances

Bridgecrew Policy ID: BC_AWS_GENERAL_60
Checkov Check ID: CKV2_AWS_2
Severity: LOW

Not only encrypted EBS volumes are attached to EC2 instances

Description

Encrypting your AWS EBS volumes helps protect your data from unauthorized access or tampering. That way, you can ensure that only authorized users can access and modify the contents of your volumes. Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.

Fix - Buildtime

Terraform

  • Resource: aws_volume_attachment, aws_instance, aws_ebs_volume
  • Argument: volume_id and instance_id of aws_volume_attachment
resource "aws_instance" "web" {
  ami               = "ami-21f78e11"
  availability_zone = "us-west-2a"
  instance_type     = "t2.micro"

  tags = {
    Name = "HelloWorld"
  }
}

resource "aws_volume_attachment" "ok_attachment1" {
  device_name = "/dev/sdh3"
  volume_id   = aws_ebs_volume.ok_ebs2.id
  instance_id = aws_instance.web.id
}


resource "aws_ebs_volume" "ok_ebs2" {
  availability_zone = ""
  encrypted = true
}