terraform.aws.security.aws-ec2-launch-configuration-root-block-device-unencrypted.aws-ec2-launch-configuration-root-block-device-unencrypted
semgrep
Author
unknown
Download Count*
License
The AWS launch configuration root block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
Run Locally
Run in CI
Defintion
rules:
- id: aws-ec2-launch-configuration-root-block-device-unencrypted
patterns:
- pattern: |
resource "aws_launch_configuration" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_launch_configuration" $ANYTHING {
...
root_block_device {
...
encrypted = true
...
}
...
}
message: The AWS launch configuration root block device is unencrypted. The
block device could be read if compromised. Block devices should be
encrypted to ensure sensitive data is held securely at rest.
languages:
- hcl
severity: WARNING
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
cwe:
- "CWE-311: Missing Encryption of Sensitive Data"
references:
- https://owasp.org/Top10/A04_2021-Insecure_Design
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#block-devices
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
rule-origin-note: published from
/src/aws-ec2-launch-configuration-block-device-unencrypted.yml in None
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
aws-ec2-launch-configuration-root-block-device-unencrypted.tf
# ruleid: aws-ec2-launch-configuration-root-block-device-unencrypted
resource "aws_launch_configuration" "fail_1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
}
# ruleid: aws-ec2-launch-configuration-root-block-device-unencrypted
resource "aws_launch_configuration" "fail_2" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
root_block_device {
volume_size = 5
volume_type = "gp2"
}
}
# ruleid: aws-ec2-launch-configuration-root-block-device-unencrypted
resource "aws_launch_configuration" "fail_3" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
root_block_device {
volume_size = 5
volume_type = "gp2"
encrypted = false
}
}
# ok: aws-ec2-launch-configuration-root-block-device-unencrypted
resource "aws_launch_configuration" "pass_1" {
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
root_block_device {
volume_size = 5
volume_type = "gp2"
encrypted = true
}
}
Short Link: https://sg.run/zg1P