logo

Database

Non-encrypted confidential information - EBS Volumes

Need

Secure encryption of confidential information stored in EBS volumes

Context

• Usage of Terraform for Infrastructure as Code (IaC)

• Usage of aws-sdk for interacting with Amazon Web Services (AWS) services

Description

1. Non compliant code

resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
  encrypted         = false
}

The above Terraform code describes an AWS EBS volume resource named "example". The volume is created with a size of 40 GiB in the "us-west-2a" availability zone. The vulnerability lies in the `encrypted` attribute, which is set to `false`. This means that the EBS volume is not encrypted, and any data stored on this volume is not protected at rest. If an attacker gains access to this volume, they can potentially read sensitive data without any restrictions. In AWS, EBS volumes can store data for any instance that is attached to them. This data can include user data, application data, and also system data pertaining to the instance. The lack of encryption on this EBS volume means all this data is at risk. AWS provides the ability to encrypt EBS volumes to add an additional layer of security to your data at rest. The encryption occurs on the servers that host EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage.

2. Steps

• Identify all the EBS volumes in your infrastructure that are not encrypted

• Update the configuration of each EBS volume to set the 'encrypted' property to 'true'

• Verify that the 'encrypted' property is set to 'true' for all the EBS volumes

• Re-deploy or update your infrastructure to apply the changes

3. Secure code example

resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
  encrypted         = true
}

The above code is a fixed version of the vulnerable code. The vulnerability was that the EBS volume was not encrypted, which could potentially allow an attacker to read sensitive information regarding the launch configuration of EC2 Instances. In the fixed code, the `encrypted` property of the `aws_ebs_volume` resource is set to `true`. This means that the EBS volume will be encrypted, preventing unauthorized access to the data it contains. The `availability_zone` and `size` properties remain the same as in the original code. The `availability_zone` property specifies the AWS availability zone in which the EBS volume is to be created, and the `size` property specifies the size of the EBS volume in GiBs. After updating the code, you should re-deploy or update your infrastructure to apply the changes. You should also verify that the `encrypted` property is set to `true` for all the EBS volumes in your infrastructure.