Non-encrypted confidential information - EBS Volumes
Need
Secure encryption of confidential information stored in EBS volumes
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws-sdk for interacting with Amazon Web Services (AWS) services
Description
Non compliant code
resource "aws_ebs_volume" "example" {
availability_zone = "us-west-2a"
size = 40
encrypted = false
}
The above Terraform code describes an AWS EBS volume resource named "example". The volume is created with a size of 40 GiB in the "us-west-2a" availability zone.
The vulnerability lies in the encrypted
attribute, which is set to false
. This means that the EBS volume is not encrypted, and any data stored on this volume is not protected at rest. If an attacker gains access to this volume, they can potentially read sensitive data without any restrictions.
In AWS, EBS volumes can store data for any instance that is attached to them. This data can include user data, application data, and also system data pertaining to the instance. The lack of encryption on this EBS volume means all this data is at risk.
AWS provides the ability to encrypt EBS volumes to add an additional layer of security to your data at rest. The encryption occurs on the servers that host EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage.
Steps
- Identify all the EBS volumes in your infrastructure that are not encrypted
- Update the configuration of each EBS volume to set the 'encrypted' property to 'true'
- Verify that the 'encrypted' property is set to 'true' for all the EBS volumes
- Re-deploy or update your infrastructure to apply the changes
Compliant code
resource "aws_ebs_volume" "example" {
availability_zone = "us-west-2a"
size = 40
encrypted = true
}
The above code is a fixed version of the vulnerable code. The vulnerability was that the EBS volume was not encrypted, which could potentially allow an attacker to read sensitive information regarding the launch configuration of EC2 Instances.
In the fixed code, the encrypted
property of the aws_ebs_volume
resource is set to true
. This means that the EBS volume will be encrypted, preventing unauthorized access to the data it contains.
The availability_zone
and size
properties remain the same as in the original code. The availability_zone
property specifies the AWS availability zone in which the EBS volume is to be created, and the size
property specifies the size of the EBS volume in GiBs.
After updating the code, you should re-deploy or update your infrastructure to apply the changes. You should also verify that the encrypted
property is set to true
for all the EBS volumes in your infrastructure.