Amazon Elastic Block Store (EBS) is a block-storage service for Amazon EC2 that supports encryption of data at rest and in transit.
When EBS volume encryption is disabled, data stored on the volume is not protected cryptographically. If an attacker gains access to the underlying storage — for example, through a misconfigured snapshot or a compromised AWS account — the data is exposed in plaintext. Encryption and decryption are handled transparently by EC2, so enabling it requires no modifications to the application.
Unencrypted EBS volumes can expose all data they contain if the underlying storage is accessed without authorization. This includes database files, application data, logs, and other sensitive information that an attacker could read, copy, or exfiltrate, leading to data breaches and regulatory non-compliance.
EBS volume encryption is disabled, either explicitly by setting the encryption attribute to false or implicitly by omitting it when
the default encryption setting is not enabled.
resource "aws_ebs_volume" "ebs_volume" { # Noncompliant: encryption is disabled by default
}
resource "aws_ebs_encryption_by_default" "default_encryption" {
enabled = false # Noncompliant
}
resource "aws_launch_configuration" "launch_configuration" {
root_block_device { # Noncompliant: encryption is disabled by default
}
ebs_block_device { # Noncompliant: encryption is disabled by default
}
}
resource "aws_ebs_volume" "ebs_volume" {
encrypted = true
}
resource "aws_ebs_encryption_by_default" "default_encryption" {
enabled = true # Optional, default is "true"
}
resource "aws_launch_configuration" "launch_configuration" {
root_block_device {
encrypted = true
}
ebs_block_device {
encrypted = true
}
}