This product is not supported for your selected
Datadog site. (
).
Id: 8bbb242f-6e38-4127-86d4-d8f0b2687ae2
Cloud Provider: aws
Framework: Terraform
Severity: Medium
Category: Encryption
Learn More
Description
Amazon Machine Images (AMIs) created without EBS encryption can result in sensitive data stored on volumes being exposed if the underlying storage is compromised. To mitigate this, AMI resources should have the encrypted = true
attribute set within each ebs_block_device
block to ensure all data at rest is protected.
For example, a secure Terraform configuration would look like the following:
resource "aws_ami" "secure" {
name = "terraform-example"
virtualization_type = "hvm"
root_device_name = "/dev/xvda"
ebs_block_device {
device_name = "/dev/xvda"
snapshot_id = "snap-xxxxxxxx"
volume_size = 8
encrypted = true
}
}
Compliant Code Examples
#this code is a correct code for which the query should not find any result
resource "aws_ami" "negative1" {
name = "terraform-example"
virtualization_type = "hvm"
root_device_name = "/dev/xvda2"
ebs_block_device {
device_name = "/dev/xvda2"
snapshot_id = "snap-xxxxxxxx"
volume_size = 8
encrypted = true
}
}
Non-Compliant Code Examples
resource "aws_ami" "positive1" {
name = "terraform-example"
virtualization_type = "hvm"
root_device_name = "/dev/xvda"
ebs_block_device {
device_name = "/dev/xvda"
snapshot_id = "snap-xxxxxxxx"
volume_size = 8
}
}
resource "aws_ami" "positive2" {
name = "terraform-example"
virtualization_type = "hvm"
root_device_name = "/dev/xvda1"
ebs_block_device {
device_name = "/dev/xvda1"
snapshot_id = "snap-xxxxxxxx"
volume_size = 8
encrypted = false
}
}
resource "aws_ami" "positive3" {
name = "terraform-example"
virtualization_type = "hvm"
root_device_name = "/dev/xvda1"
}