Non-encrypted hard drives
Need
Implementation of full disk encryption
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Non compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "example" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
root_block_device {
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
}
}
The above code is a simple example of a Terraform script that creates an AWS EC2 instance. The root block device defined here is the main hard drive for the instance. However, this code has a vulnerability - the root block device (or hard drive) is not encrypted.
The root_block_device block defines the settings for the root hard disk. Here, it is set to a General Purpose SSD (gp2) with a size of 50GB, and is configured to be deleted when the instance is terminated. However, there is no encrypted argument in the root_block_device block, which means the data on the hard drive is not encrypted.
This leaves any data stored on this disk unprotected and can be easily accessed if the disk is compromised. This is a serious issue especially when the instance is storing sensitive customer data.
Steps
- Enable encryption for the root block device of the AWS instance.
- Specify the 'encrypted' property as 'true' for the root block device.
- Ensure that the 'volume_type' is set to a type that supports encryption, such as 'gp3' or 'io2'.
- Consider using a custom AWS KMS key for encryption by specifying the 'kms_key_id' property.
Compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_instance" "example" {
ami = "ami-0c94855ba95c574c8"
instance_type = "t2.micro"
root_block_device {
volume_type = "gp3"
volume_size = "50"
delete_on_termination = true
encrypted = true
kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/abcd1234a1234dea4ec1234567890a12" // replace with your KMS Key ARN
}
}
The updated code now includes encryption for the root block device of the AWS instance. This is achieved by setting the 'encrypted' property to 'true'.
The 'volume_type' has been changed from 'gp2' to 'gp3' because 'gp2' does not support encryption. 'gp3' is the latest generation of General Purpose SSD volumes that AWS offers, and it supports encryption.
The 'kms_key_id' property has been added to specify a custom AWS KMS key for encryption. Replace the placeholder value with the ARN of your own KMS key. If you don't specify a custom KMS key, AWS will use the default KMS key for EBS in your account.
By making these changes, the data stored on the root block device of the AWS instance will be encrypted, thereby protecting sensitive customer data.