logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Non-encrypted hard drives - Cloudformation

Need

Implementation of full disk encryption

Context

  1. Usage of AWS CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS SDK for interacting with Amazon Web Services

Description

Insecure Code Example

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeType: gp2
            VolumeSize: 50

The above code is a simple example of a CloudFormation template that creates an AWS EC2 instance. The root volume is defined as the primary disk for the instance. However, this code has a vulnerability— the root volume is not encrypted. The `BlockDeviceMappings` property defines the root volume configuration. Here, it is set to a General Purpose SSD (`gp2`) with a size of 50GB. However, there is no `Encrypted` property specified, which means the volume is not encrypted. This leaves any data stored on this disk unprotected and can be easily accessed if the volume is compromised. This is a serious issue, especially when the instance is storing sensitive customer data.

Steps

  1. Enable encryption for the root volume of the AWS EC2 instance.
  2. Specify the `Encrypted` property as `true` in the `BlockDeviceMappings` section.
  3. Consider using a custom AWS KMS key for encryption by specifying the `KmsKeyId` property.

Secure Code Example

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeType: gp3
            VolumeSize: 50
            Encrypted: true
            KmsKeyId: arn:aws:kms:us-west-2:111122223333:key/abcd1234a1234dea4ec1234567890a12 # Replace with your KMS Key ARN

The updated code now includes encryption for the root volume of the AWS EC2 instance. This is achieved by setting the `Encrypted` property to `true`. The `KmsKeyId` property has been added to specify a custom AWS KMS key for encryption. Replace the placeholder value with the ARN of your own KMS key. If you don't specify a custom KMS key, AWS will use the default KMS key for EBS in your account. By making these changes, the data stored on the root volume of the AWS instance will be encrypted, thereby protecting sensitive customer data.

References

  • 250 - Non-encrypted hard drives

    • Last updated

    2025/04/03