Skip to main content

Non-encrypted confidential information - EBS Volumes

Description

One or more Elastic Block Store (EBS) instances are no encrypted, allowing an attacker to read potencially sensitive information regarding the launch configuration of EC2 Instances

Impact

Obtain information related to EC2 launch configuration to craft more complex attack vectors

Recommendation

Enable the encryption of all the EBS instances by setting the property Encrypted to true

Threat

Anonymous attacker with local access to a EBS instance

Expected Remediation Time

โŒš 20 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: L
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 2.9
    • Temporal: 2.6
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The resource has encryption mechanism enabled

Resources:
myLaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: !Ref LatestAmiId
SecurityGroups:
- Ref: "myEC2SecurityGroup"
InstanceType:
Ref: "InstanceType"
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 30
VolumeType: "gp3"
- DeviceName: /dev/sdm
Ebs:
VolumeSize: 100
DeleteOnTermination: "false"
Encrypted : true

Non compliant code

The resource does not have an encryption mechanism correctly configured

Resources:
myLaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: !Ref LatestAmiId
SecurityGroups:
- Ref: "myEC2SecurityGroup"
InstanceType:
Ref: "InstanceType"
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 30
VolumeType: "gp3"
- DeviceName: /dev/sdm
Ebs:
VolumeSize: 100
DeleteOnTermination: "false"
Encrypted : false

Terraform example

resource "aws_launch_configuration" "example" {
instance_type = "t2.micro"
root_block_device {
encrypted = false
}
}

Using the AWS CLI, the following command checks if the EBS Volumes are encrypted

$ aws ec2 describe-volumes
--filters Name=attachment.instance-id, Values= {volume_id}

If the command output returns false in the Encrypted element, the volume is unencrypted.

Details

https://docs.bridgecrew.io/docs/general_13

Requirements