Config rule for encrypted volumes disabled

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Config rule for encrypted volumes disabled

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 1b6322d9-c755-4f8c-b804-32c19250f2d9

Cloud Provider: AWS

Platform: CloudFormation

Severity: High

Category: Encryption

Learn More

Provider Reference

Description

AWS Config should include the managed rule that detects unencrypted EBS volumes so that unencrypted volumes, snapshots, and backups are identified and remediated to prevent data exposure if storage media or snapshots are compromised.

This check looks for an AWS::Config::ConfigRule resource with Properties.Source.SourceIdentifier set to ENCRYPTED_VOLUMES. Resources missing this config rule or with a different SourceIdentifier will be flagged.

Ensure a config rule with SourceIdentifier set to ENCRYPTED_VOLUMES (typically Owner set to AWS for the managed rule) is defined and enabled in your CloudFormation template.

Secure CloudFormation example:

EncryptedVolumesConfigRule:
  Type: AWS::Config::ConfigRule
  Properties:
    ConfigRuleName: encrypted-volumes
    Source:
      Owner: AWS
      SourceIdentifier: ENCRYPTED_VOLUMES

Compliant Code Examples

Resources:
  ConfigRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: access-keys-rotated
      InputParameters:
        maxAccessKeyAge: 90
      Source:
        Owner: AWS
        SourceIdentifier: ENCRYPTED_VOLUMES
      MaximumExecutionFrequency: TwentyFour_Hours

{
  "Resources": {
    "ConfigRule": {
      "Type": "AWS::Config::ConfigRule",
      "Properties": {
        "MaximumExecutionFrequency": "TwentyFour_Hours",
        "ConfigRuleName": "access-keys-rotated",
        "InputParameters": {
          "maxAccessKeyAge": 90
        },
        "Source": {
          "SourceIdentifier": "ENCRYPTED_VOLUMES",
          "Owner": "AWS"
        }
      }
    }
  }
}

Non-Compliant Code Examples

{
  "Resources": {
    "ConfigRule": {
      "Type": "AWS::Config::ConfigRule",
      "Properties": {
        "ConfigRuleName": "access-keys-rotated",
        "InputParameters": {
          "maxAccessKeyAge": 100
        },
        "Source": {
          "Owner": "AWS",
          "SourceIdentifier": "ACCESS_KEYS_ROTATED"
        },
        "MaximumExecutionFrequency": "TwentyFour_Hours"
      }
    }
  }
}

Resources:
  ConfigRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: access-keys-rotated
      InputParameters:
        maxAccessKeyAge: 100
      Source:
        Owner: AWS
        SourceIdentifier: ACCESS_KEYS_ROTATED
      MaximumExecutionFrequency: TwentyFour_Hours