For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-ebs-volume-encryption-disabled.md. A documentation index is available at /llms.txt.

EBS volume encryption disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-ebs-volume-encryption-disabled

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Encryption

Learn More

Description

Amazon EBS volumes must be encrypted to protect data at rest from unauthorized access and to prevent sensitive information from being exposed via unencrypted snapshots or compromised storage. In CloudFormation, the Encrypted property on AWS::EC2::Volume resources must be defined and set to true. Resources that omit the Encrypted property or have Encrypted set to false will be flagged. Optionally specify KmsKeyId to use a customer-managed AWS KMS key for encryption and key rotation policies.

Secure configuration example:

MyVolume:
  Type: AWS::EC2::Volume
  Properties:
    AvailabilityZone: us-east-1a
    Size: 100
    Encrypted: true
    KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd-1234-ef56-...

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "Volume"
Resources:
  NewVolume:
    Type: AWS::EC2::Volume
    Properties:
      Size: 100
      Encrypted: true
      AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
      Tags:
        - Key: MyTag
          Value: TagValue
    DeletionPolicy: Snapshot

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Volume",
  "Resources": {
    "NewVolume": {
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "Encrypted": true,
        "AvailabilityZone": "Ec2Instance.AvailabilityZone",
        "Tags": [
          {
            "Key": "MyTag",
            "Value": "TagValue"
          }
        ],
        "Size": 100
      },
      "DeletionPolicy": "Snapshot"
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "Volume"
Resources:
  NewVolume:
    Type: AWS::EC2::Volume
    Properties:
      Size: 100
      Encrypted: false
      AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
      Tags:
        - Key: MyTag
          Value: TagValue
    DeletionPolicy: Snapshot

AWSTemplateFormatVersion: "2010-09-09"
Description: "Volume 02"
Resources:
  NewVolume02:
    Type: AWS::EC2::Volume
    Properties:
      Size: 100
      AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
      Tags:
        - Key: MyTag
          Value: TagValue
    DeletionPolicy: Snapshot

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Volume",
  "Resources": {
    "NewVolume": {
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "Tags": [
          {
            "Key": "MyTag",
            "Value": "TagValue"
          }
        ],
        "Size": 100,
        "Encrypted": false,
        "AvailabilityZone": "Ec2Instance.AvailabilityZone"
      },
      "DeletionPolicy": "Snapshot"
    }
  }
}