Json Yaml Ebs Encryption Disabled Launch Config

Description

Detects when AWS Launch Configurations are configured with unencrypted EBS volumes in CloudFormation templates. Unencrypted EBS volumes pose a security risk as they could expose sensitive data at rest if the storage is compromised or improperly accessed.

Weakness:

407 - Non-encrypted confidential information - EBS Volumes

Category: Information Collection

Detection Strategy

• Look for CloudFormation resources of type 'AWS::AutoScaling::LaunchConfiguration'

• Check if the Launch Configuration has BlockDeviceMappings with EBS volumes specified

• For each EBS volume, verify if encryption is explicitly enabled

• Report a vulnerability if any EBS volume lacks encryption configuration or has it disabled

Vulnerable code example

Resources:
  MyEC2Instance:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: ami-12345678
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:  # Vulnerable: No encryption specified defaults to false...

✅ Secure code example

Resources:
  MyEC2Instance:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: ami-12345678
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.