EBS volume without KmsKeyId
Este producto no es compatible con el
sitio Datadog seleccionado. (
).
Id: b7063015-6c31-4658-a8e7-14f98f37fd42
Cloud Provider: AWS
Platform: CloudFormation
Severity: Low
Category: Secret Management
Learn More
Description
Amazon EBS volumes should specify a customer-managed AWS KMS key (KmsKeyId) so data at rest is encrypted under keys you control and access to decrypt volumes and snapshots can be restricted via key policies.
In CloudFormation, the AWS::EC2::Volume resource must include the Properties.KmsKeyId property, and it should reference a key ARN, key ID, or alias for a customer-managed CMK. Resources missing KmsKeyId will be flagged. If account-level default EBS encryption is not enabled, this omission can result in unencrypted volumes. If default encryption is enabled, it may cause the AWS-managed key to be used instead of a customer-managed key.
Secure configuration example:
MyVolume:
Type: AWS::EC2::Volume
Properties:
AvailabilityZone: us-west-2a
Size: 100
KmsKeyId: arn:aws:kms:us-west-2:123456789012:key/01234567-89ab-cdef-0123-456789abcdef
Compliant Code Examples
AWSTemplateFormatVersion: 2010-09-09
Description: Creating ECS service
Resources:
MyKey:
Type: "AWS::KMS::Key"
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Join
- ""
- - "arn:aws:iam::"
- !Ref "AWS::AccountId"
- ":root"
Action: "kms:*"
Resource: "*"
NewVolume:
Type: AWS::EC2::Volume
Properties:
Size: 100
Encrypted: true
AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
Tags:
- Key: MyTag
Value: TagValue
KmsKeyId: !Ref MyKey
DeletionPolicy: Snapshot
{
"Resources": {
"MyKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"KeyPolicy": {
"Version": "2012-10-17T00:00:00Z",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"",
[
"arn:aws:iam::",
"AWS::AccountId",
":root"
]
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"NewVolume": {
"DeletionPolicy": "Snapshot",
"Type": "AWS::EC2::Volume",
"Properties": {
"KmsKeyId": "MyKey",
"Size": 100,
"Encrypted": true,
"AvailabilityZone": "Ec2Instance.AvailabilityZone",
"Tags": [
{
"Key": "MyTag",
"Value": "TagValue"
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating ECS service"
}
Non-Compliant Code Examples
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating ECS service",
"Resources": {
"NewVolume": {
"Type": "AWS::EC2::Volume",
"Properties": {
"Size": 100,
"Encrypted": true,
"AvailabilityZone": "Ec2Instance.AvailabilityZone",
"Tags": [
{
"Key": "MyTag",
"Value": "TagValue"
}
]
},
"DeletionPolicy": "Snapshot"
}
}
}
AWSTemplateFormatVersion: 2010-09-09
Description: Creating ECS service
Resources:
NewVolume:
Type: AWS::EC2::Volume
Properties:
Size: 100
Encrypted: true
AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
Tags:
- Key: MyTag
Value: TagValue
DeletionPolicy: Snapshot
