For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-ebs-volume-not-attached-to-instances.md. A documentation index is available at /llms.txt.

EBS volume not attached to instances

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-ebs-volume-not-attached-to-instances

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Availability

Learn More

Description

Unattached Amazon EBS volumes can retain sensitive data at rest and therefore increase the risk of data exposure or unauthorized access if snapshots are created, shared, or the storage is otherwise misused. In CloudFormation, each AWS::EC2::Volume should be associated with an AWS::EC2::VolumeAttachment whose Properties.VolumeId references the volume (typically using Ref to the volume logical ID). Resources missing a corresponding AWS::EC2::VolumeAttachment or where no AWS::EC2::VolumeAttachment resource’s Properties.VolumeId equals the volume’s Ref will be flagged.

Note: This rule detects explicit AWS::EC2::VolumeAttachment resources and may not catch attachments made via instance block device mappings, LaunchConfigurations, or Auto Scaling constructs.

Secure example with an explicit attachment:

MyVolume:
  Type: AWS::EC2::Volume
  Properties:
    AvailabilityZone: us-east-1a
    Size: 100
    Encrypted: true

AttachVolume:
  Type: AWS::EC2::VolumeAttachment
  Properties:
    InstanceId: !Ref MyInstance
    VolumeId: !Ref MyVolume
    Device: /dev/sdf

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Resources:
    NewVolume:
        Type: AWS::EC2::Volume
        Properties:
            Size: 100
            AvailabilityZone: us-west-1
    MountPoint:
        Type: AWS::EC2::VolumeAttachment
        Properties:
            InstanceId: !Ref Ec2Instance
            VolumeId: !Ref NewVolume
            Device: /dev/sdh

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "NewVolume": {
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "Size": 100,
        "AvailabilityZone": "us-west-1"
      }
    },
    "MountPoint": {
      "Type": "AWS::EC2::VolumeAttachment",
      "Properties": {
        "VolumeId": "NewVolume",
        "Device": "/dev/sdh",
        "InstanceId": "Ec2Instance"
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Resources:
    NewVolume:
        Type: AWS::EC2::Volume
        Properties:
            Size: 100
            AvailabilityZone: us-west-1

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "NewVolume": {
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "AvailabilityZone": "us-west-1",
        "Size": 100
      }
    }
  }
}