Instance with unencrypted block device.
Block devices should be encrypted to ensure sensitive data is held securely at rest.
Impact
The block device could be compromised and read from
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Turn on encryption for all block devices
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
Resources:
GoodExample:
Type: AWS::EC2::Instance
Properties:
ImageId: "ami-79fd7eee"
KeyName: "testkey"
UserData: export SSM_PATH=/database/creds
BlockDeviceMappings:
- DeviceName: "/dev/sdm"
Ebs:
Encrypted: True
VolumeType: "io1"
Iops: "200"
DeleteOnTermination: "false"
VolumeSize: "20"
|
Turn on encryption for all block devices
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
resource "aws_instance" "good_example" {
ami = "ami-7f89a64f"
instance_type = "t1.micro"
root_block_device {
encrypted = true
}
ebs_block_device {
device_name = "/dev/sdg"
volume_size = 5
volume_type = "gp2"
delete_on_termination = false
encrypted = true
}
}
|
Links