terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted
semgrep
Author
unknown
Download Count*
License
The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.
Run Locally
Run in CI
Defintion
rules:
- id: aws-ebs-unencrypted
patterns:
- pattern: |
resource "aws_ebs_encryption_by_default" $ANYTHING {
...
enabled = false
...
}
message: The AWS EBS is unencrypted. The AWS EBS encryption protects data in the
EBS.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
cwe:
- "CWE-320: CWE CATEGORY: Key Management Errors"
technology:
- aws
- terraform
category: security
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-ebs-unencrypted.tf
# pass
resource "aws_ebs_encryption_by_default" "enabled" {
enabled = true
}
resource "aws_ebs_encryption_by_default" "default" {
}
# failure
# ruleid: aws-ebs-unencrypted
resource "aws_ebs_encryption_by_default" "disabled" {
enabled = false
}
Short Link: https://sg.run/Dy5Y