Ensure EBS volumes have encrypted launch configurations

Error: EBS volumes do not have encrypted launch configurations

Bridgecrew Policy ID: BC_AWS_GENERAL_13
Checkov Check ID: CKV_AWS_8
Severity: HIGH

EBS volumes do not have encrypted launch configurations

Description

Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling. When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. Navigate to Auto Scaling.
  4. Create a new launch configuration.
  5. Add an encrypted EBS volume (Add Storage).

CLI Command

aws autoscaling create-launch-configuration 
--launch-configuration-name my-launch-config
--image-id ami-c6169af6
--instance-type m1.medium
--encrypted true

Fix - Buildtime

Terraform

  • Resource: aws_launch_configuration
  • Attribute: encrypted - (Optional) Whether the volume should be encrypted or not. Do not use this option if you are using snapshot_id as the encrypted flag will be determined by the snapshot. (Default: false).
resource "aws_launch_configuration" "example" {
  ...
  instance_type = "t2.micro"
+ root_block_device {
+ encrypted     = true
+ }
  ...
}

CloudFormation

  • Resource: AWS::AutoScaling::LaunchConfiguration
  • Attribute: Properties.BlockDeviceMappings
AutoScalingConfig:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ...
      BlockDeviceMappings:
      - DeviceName: "/dev/sdk"
+       Ebs:
          ...
+         Encrypted: true
      - DeviceName: "/dev/sdf"
        Ebs:
            ...
-         Encrypted: false
            - DeviceName: "/dev/sdc"
-       VirtualName: ephermal

Did this page help you?