Terraform Unencrypted Ebs Block Device

Description

Detects AWS Launch Configurations that use unencrypted EBS (Elastic Block Store) volumes. Unencrypted EBS volumes pose a security risk as they store data in plaintext, potentially exposing sensitive information if the volumes are compromised or improperly accessed.

Weakness:

407 - Non-encrypted confidential information - EBS Volumes

Category: Information Collection

Detection Strategy

• Scan Terraform configuration files for 'aws_launch_configuration' resource blocks

• Check if the launch configuration includes EBS volume configurations

• Verify if encryption is enabled for each EBS volume

• Report a vulnerability if any EBS volume is configured without encryption enabled

Vulnerable code example

resource "aws_launch_configuration" "example" {
  instance_type = "t2.micro"
  image_id     = "ami-123"

  root_block_device {
    encrypted = false  # Vulnerable: Root volume not encrypted, exposing data at rest
  }
...

✅ Secure code example

resource "aws_launch_configuration" "example" {
  instance_type = "t2.micro"
  image_id     = "ami-123"

  root_block_device {
    encrypted = true  # Secure: Enable encryption for root volume to protect data at rest
  }
...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.