EBS volumes must be encrypted

Default Severity: high

Explanation

By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted.

Possible Impact

Unencrypted sensitive data is vulnerable to compromise.

Suggested Resolution

Enable encryption of EBS volumes

Insecure Example

The following example will fail the aws-ec2-enable-volume-encryption check.

 resource "aws_ebs_volume" "bad_example" {
   availability_zone = "us-west-2a"
   size              = 40

   tags = {
     Name = "HelloWorld"
   }
   encrypted = false
 }

Secure Example

The following example will pass the aws-ec2-enable-volume-encryption check.

 resource "aws_ebs_volume" "good_example" {
   availability_zone = "us-west-2a"
   size              = 40

   tags = {
     Name = "HelloWorld"
   }
   encrypted = true
 }

Links

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html