For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/config_rule_for_encrypted_volumes_is_disabled.md. A documentation index is available at /llms.txt.

Config rule for encrypted volumes disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: 7674a686-e4b1-4a95-83d4-1fd53c623d84

Cloud Provider: AWS

Platform: Ansible

Severity: High

Category: Encryption

Learn More

Description

Missing an AWS Config rule for encrypted volumes prevents automated detection of unencrypted block storage and snapshots, leaving data at rest vulnerable to exposure if storage is compromised.

For Ansible-managed resources, define an aws_config_rule (module community.aws.config_rule or aws_config_rule) with source.identifier set to ENCRYPTED_VOLUMES. The check is case-insensitive. Tasks that omit this aws_config_rule or set source.identifier to a different value are flagged.

Secure Ansible example:

- name: Ensure AWS Config rule for encrypted volumes exists
  community.aws.config_rule:
    name: encrypted-volumes-rule
    source:
      owner: AWS
      identifier: ENCRYPTED_VOLUMES

Compliant Code Examples

- name: foo
  community.aws.config_rule:
    name: test_config_rule
    state: present
    description: This AWS Config rule checks for public write access on S3 buckets
    scope:
      compliance_types:
      - AWS::S3::Bucket
    source:
      owner: AWS
      identifier: ENCRYPTED_VOLUMES

Non-Compliant Code Examples

---
- name: foo
  community.aws.config_rule:
    name: test_config_rule
    state: present
    description: 'This AWS Config rule checks for public write access on S3 buckets'
    scope:
      compliance_types:
        - 'AWS::S3::Bucket'
    source:
      owner: AWS
      identifier: 'S3_BUCKET_PUBLIC_WRITE_PROHIBITED'