terraform.aws.security.aws-ec2-launch-configuration-ebs-block-device-unencrypted.aws-ec2-launch-configuration-ebs-block-device-unencrypted
semgrep
Author
unknown
Download Count*
License
The AWS launch configuration EBS block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
Run Locally
Run in CI
Defintion
rules:
- id: aws-ec2-launch-configuration-ebs-block-device-unencrypted
patterns:
- pattern-inside: |
resource "aws_launch_configuration" $ANYTHING {
...
}
- pattern: |
ebs_block_device {
...
}
- pattern-not: |
ebs_block_device {
...
encrypted = true
...
}
message: The AWS launch configuration EBS block device is unencrypted. The block
device could be read if compromised. Block devices should be encrypted to
ensure sensitive data is held securely at rest.
languages:
- hcl
severity: WARNING
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
cwe:
- "CWE-311: Missing Encryption of Sensitive Data"
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#block-devices
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
rule-origin-note: published from
/src/aws-ec2-launch-configuration-block-device-unencrypted.yml in None
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-ec2-launch-configuration-ebs-block-device-unencrypted.tf
resource "aws_launch_configuration" "fail_1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
# ruleid: aws-ec2-launch-configuration-ebs-block-device-unencrypted
ebs_block_device {
device_name = "/dev/sdg"
volume_size = 5
volume_type = "gp2"
}
}
resource "aws_launch_configuration" "fail_2" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
# ruleid: aws-ec2-launch-configuration-ebs-block-device-unencrypted
ebs_block_device {
device_name = "/dev/sdg"
volume_size = 5
volume_type = "gp2"
encrypted = false
}
}
resource "aws_launch_configuration" "pass_fail_1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
# ok: aws-ec2-launch-configuration-ebs-block-device-unencrypted
ebs_block_device {
device_name = "/dev/sdg"
volume_size = 5
volume_type = "gp2"
encrypted = true
}
# ruleid: aws-ec2-launch-configuration-ebs-block-device-unencrypted
ebs_block_device {
device_name = "/dev/sdg"
volume_size = 5
volume_type = "gp2"
}
}
resource "aws_launch_configuration" "pass_fail_2" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
# ok: aws-ec2-launch-configuration-ebs-block-device-unencrypted
ebs_block_device {
device_name = "/dev/sdg"
volume_size = 5
volume_type = "gp2"
encrypted = true
}
# ruleid: aws-ec2-launch-configuration-ebs-block-device-unencrypted
ebs_block_device {
device_name = "/dev/sdg"
volume_size = 5
volume_type = "gp2"
encrypted = false
}
}
# ok: aws-ec2-launch-configuration-ebs-block-device-unencrypted
resource "aws_launch_configuration" "pass_1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
}
resource "aws_launch_configuration" "pass_2" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
# ok: aws-ec2-launch-configuration-ebs-block-device-unencrypted
ebs_block_device {
device_name = "/dev/sdg"
volume_size = 5
volume_type = "gp2"
encrypted = true
}
}
Short Link: https://sg.run/oryd