logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Non-encrypted confidential information - EBS Volumes - Cloudformation

Need

Secure encryption of confidential information stored in EBS volumes

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Usage of aws-sdk for interacting with Amazon Web Services (AWS) services

Description

Insecure Code Example

Resources:
  UnencryptedEBSVolume:
    Type: AWS::EC2::Volume
    Properties:
      AvailabilityZone: us-west-2a
      Size: 40
      Encrypted: false

The CloudFormation snippet below defines an AWS::EC2::Volume resource that provisions an Amazon EBS volume in the `us-west-2a` Availability Zone with a size of 40 GiB. However, the volume is not encrypted because the `Encrypted` property is either omitted or explicitly set to `false`. This leads to a security risk because data stored on this volume is not protected at rest. If an attacker gains access to the EBS volume, sensitive information such as system, user, or application data could be exposed. It is considered best practice to always enable encryption at rest for EBS volumes. AWS provides native support for encryption using AWS KMS-managed keys. Enabling encryption mitigates risks by ensuring that the data is protected even if unauthorized access to the volume occurs.

Steps

  1. Identify all the EBS volumes in your infrastructure that are not encrypted
  2. Update the CloudFormation templates to include the `Encrypted: true` property in each AWS::EC2::Volume resource
  3. Deploy the updated CloudFormation stack to enforce encryption at rest
  4. Verify through the AWS Console or CLI that all volumes are encrypted

Secure Code Example

Resources:
  EncryptedEBSVolume:
    Type: AWS::EC2::Volume
    Properties:
      AvailabilityZone: us-west-2a
      Size: 40
      Encrypted: true

The following CloudFormation snippet shows the corrected version of the previous insecure configuration. The `Encrypted` property is now set to `true`, ensuring that data stored on the EBS volume is protected at rest. The volume will now be encrypted using the default AWS managed key (or a custom key, if specified). This significantly reduces the risk of unauthorized access to sensitive information in case of data exposure. No other properties were modified; the `AvailabilityZone` and `Size` remain as originally configured.

References

  • 407 - Non-encrypted confidential information - EBS Volumes

    • Last updated

    2025/04/04