Amazon Elastic Block Store (EBS) is a block-storage service for Amazon EC2 that supports encryption of data at rest and in transit.

Why is this an issue?

When EBS volume encryption is disabled, data stored on the volume is not protected cryptographically. If an attacker gains access to the underlying storage — for example, through a misconfigured snapshot or a compromised AWS account — the data is exposed in plaintext. Encryption and decryption are handled transparently by EC2, so enabling it requires no modifications to the application.

What is the potential impact?

Exposure of sensitive data

Unencrypted EBS volumes can expose all data they contain if the underlying storage is accessed without authorization. This includes database files, application data, logs, and other sensitive information that an attacker could read, copy, or exfiltrate, leading to data breaches and regulatory non-compliance.

How to fix it

Code examples

EBS volume encryption is disabled, either explicitly by setting the encryption attribute to false or implicitly by omitting it when the default encryption setting is not enabled.

Noncompliant code example

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Ec2Volume:
    Type: AWS::EC2::Volume  # Noncompliant: encryption is disabled by default

Compliant solution

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Ec2Volume:
    Type: AWS::EC2::Volume
    Properties:
      Encrypted: true

Resources

Documentation

• AWS::EC2::Volume
• Amazon EBS encryption

Standards

• CWE - CWE-311 - Missing Encryption of Sensitive Data