Terraform Missing Encrypted Block Device
Description
Detects AWS EC2 instances that have EBS block devices configured without encryption in Terraform configurations. Unencrypted EBS volumes can expose sensitive data if the physical storage is compromised or if snapshots are accessed by unauthorized users.
Detection Strategy
• Scan Terraform configuration files for 'aws_instance' resource blocks
• Check if the EC2 instance has EBS block device mappings defined
• Verify if the 'encrypted' parameter is either missing or set to false in block device configurations
• Report a vulnerability when unencrypted EBS volumes are detected in the instance configuration
Vulnerable code example
resource "aws_instance" "example" {
ami = "ami-123456"
instance_type = "t2.micro"
root_block_device {
encrypted = false # Vulnerable: Root volume not encrypted
volume_size = 50
}...✅ Secure code example
resource "aws_instance" "example" {
ami = "ami-123456"
instance_type = "t2.micro"
root_block_device {
encrypted = true # Enable encryption for root volume security
volume_size = 50
volume_type = "gp2"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.