EBS volume encryption disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > EBS volume encryption disabled

Metadata

Id: 4b6012e7-7176-46e4-8108-e441785eae57

Cloud Provider: AWS

Platform: Ansible

Severity: High

Category: Encryption

Learn More

Provider Reference

Description

Encrypt EBS volumes to protect data at rest and ensure snapshots and backups are also encrypted. Unencrypted volumes and their snapshots risk exposure if storage media or backups are compromised. For Ansible, tasks using the amazon.aws.ec2_vol or legacy ec2_vol modules must define the encrypted property and set it to true (or yes). Tasks with state set to absent or list are ignored. Resources with encrypted set to false or missing the encrypted attribute are flagged.

Secure Ansible example:

- name: Create encrypted EBS volume
  amazon.aws.ec2_vol:
    volume_size: 10
    region: us-east-1
    encrypted: yes

Compliant Code Examples

- name: Creating EBS volume05
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: yes
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
- name: Creating EBS volume06
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: 'True'
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf

Non-Compliant Code Examples

---
- name: Creating EBS volume01
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: no
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
- name: Creating EBS volume02
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: false
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
- name: Creating EBS volume03
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: "false"
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
- name: Creating EBS volume04
  amazon.aws.ec2_vol:
    instance: XXXXXX
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf