---
title: EBS volume encryption disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > EBS volume encryption disabled
---

# EBS volume encryption disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `4b6012e7-7176-46e4-8108-e441785eae57`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted)

### Description{% #description %}

Encrypt EBS volumes to protect data at rest and ensure snapshots and backups are also encrypted. Unencrypted volumes and their snapshots risk exposure if storage media or backups are compromised. For Ansible, tasks using the `amazon.aws.ec2_vol` or legacy `ec2_vol` modules must define the `encrypted` property and set it to `true` (or `yes`). Tasks with `state` set to `absent` or `list` are ignored. Resources with `encrypted` set to `false` or missing the `encrypted` attribute are flagged.

Secure Ansible example:

```yaml
- name: Create encrypted EBS volume
  amazon.aws.ec2_vol:
    volume_size: 10
    region: us-east-1
    encrypted: yes
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Creating EBS volume05
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: yes
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
- name: Creating EBS volume06
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: 'True'
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: Creating EBS volume01
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: no
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
- name: Creating EBS volume02
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: false
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
- name: Creating EBS volume03
  amazon.aws.ec2_vol:
    instance: XXXXXX
    encrypted: "false"
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
- name: Creating EBS volume04
  amazon.aws.ec2_vol:
    instance: XXXXXX
    volume_size: 50
    volume_type: gp2
    device_name: /dev/xvdf
```