Json Yaml Ebs Volume Encryption Disabled

Description

Detects AWS EC2 volumes that are not configured with encryption in CloudFormation templates. Unencrypted EBS volumes pose a security risk as they store data in plaintext, potentially exposing sensitive information if the physical storage is compromised or if snapshots are shared.

Weakness:

250 - Non-encrypted hard drives

Category: Information Collection

Detection Strategy

• Scan CloudFormation template files for AWS::EC2::Volume resource definitions

• Check if the volume resource lacks encryption configuration or has encryption explicitly disabled

• Report a security finding when an EC2 volume resource is configured without encryption enabled

Vulnerable code example

{
  "Resources": {
    "UnsafeVolume": {
      "Type": "AWS::EC2::Volume",
      "Properties": {
        "Size": 100,
        "Encrypted": false,  # Explicitly setting encryption to false is insecure
        "AvailabilityZone": "us-east-1"...

✅ Secure code example

{
  "Resources": {
    "SafeVolume1": {
      "Type": "AWS::EC2::Volume", 
      "Properties": {
        "Size": 100,
        "Encrypted": true,  # Explicitly enable encryption for data at rest
        "KmsKeyId": "arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias",  # Use KMS key for encryption...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.