Ensure AWS EBS volumes are encrypted

Error: AWS EBS volumes are not encrypted

Bridgecrew Policy ID: BC_AWS_GENERAL_3
Checkov Check ID: [CKV_AWS_3] (https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/EBSEncryption.py)
Severity: HIGH

AWS EBS volumes are not encrypted


Encrypting EBS volumes ensures that replicated copies of your images are secure even if they are accidentally exposed. AWS EBS encryption uses AWS KMS customer master keys (CMK) when creating encrypted volumes and snapshots. Storing EBS volumes in their encrypted state reduces the risk of data exposure or data loss.
We recommend you encrypt all data stored in the EBS.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. From the navigation bar, select Region.
  4. From the navigation pane, select EC2 Dashboard.
  5. In the upper-right corner of the page, select Account Attributes, then Settings.
  6. Under EBS Storage, select Always encrypt new EBS volumes.
  7. Click Update.

CLI Command

To always encrypt new EBS volumes, use the following command:

aws ec2 --region <REGION> enable-ebs-encryption-by-default

Fix - Buildtime


  • Resource: aws_ebs_volume
  • Argument: encrypted - (Optional) If true, the disk will be encrypted.
resource "aws_ebs_volume" "example" {
  availability_zone = "${var.availability_zone}"
+ encrypted         = true


  • Resource: AWS::EC2::Volume
  • Argument: Properties.Encrypted - (Optional) If true, the disk will be encrypted.
    Type: AWS::EC2::Volume
+     Encrypted: true