Fluid Attacks Database

Description

Detects when AWS EBS encryption by default is explicitly disabled in Terraform configurations. This creates a security risk since new EBS volumes would be created without encryption, potentially exposing sensitive data stored on these volumes.

Weakness:

250 - Non-encrypted hard drives

Category: Information Collection

Detection Strategy

• Scan Terraform configuration files for 'aws_ebs_encryption_by_default' resource blocks

• Check if the resource has an 'enabled' attribute explicitly set to 'false'

• Report a vulnerability when encryption by default is disabled since this could lead to unencrypted data storage

Vulnerable code example

resource "aws_ebs_encryption_by_default" "example" {
  enabled = false  # Security risk: Disabling default EBS encryption exposes data to unauthorized access
}

✅ Secure code example

resource "aws_ebs_encryption_by_default" "example" {
  enabled = true  # Enable encryption for all new EBS volumes in the region for data protection
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.