Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 173 EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes

Description

This control checks whether an Amazon EC2 Spot Fleet request that specifies launch parameters is configured to enable encryption for all Amazon Elastic Block Store (Amazon EBS) volumes attached to EC2 instances. The control fails if the Spot Fleet request specifies launch parameters and doesn't enable encryption for one or more EBS volumes specified in the request.

For an additional layer of security, you should enable encryption for Amazon EBS volumes. Encryption operations then occur on the servers that host Amazon EC2 instances, which helps ensure the security of both data at rest and data in transit between an instance and its attached EBS storage. Amazon EBS encryption is a straightforward encryption solution for EBS resources associated with your EC2 instances. With EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. EBS encryption uses AWS KMS keys when creating encrypted volumes

Remediation

There's no direct way to encrypt an existing, unencrypted Amazon EBS volume. You can encrypt a new volume only when you create it.

However, if you enable encryption by default, Amazon EBS encrypts new volumes by using your default key for EBS encryption. If you don't enable encryption by default, you can enable encryption when you create an individual volume. In both cases, you can override the default key for EBS encryption and choose a customer managed AWS KMS key. For more information about EBS encryption, see Amazon EBS encryption in the Amazon EBS User Guide.

For information about creating an Amazon EC2 Spot Fleet request, see Create a Spot Fleet in the Amazon Elastic Compute Cloud User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_173

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_173 --share

SQL

This control uses a named query:

select
  spot_fleet_request_id as resource,
  case
    when launch_specifications is null then 'skip'
    when exists (
      select 1
      from jsonb_array_elements(launch_specifications) spec,
           jsonb_array_elements(spec -> 'BlockDeviceMappings') bdm
      where (bdm -> 'Ebs' ->> 'Encrypted')::boolean = false
         or bdm -> 'Ebs' ->> 'Encrypted' is null
    ) then 'alarm'
    else 'ok'
  end as status,
  case
    when launch_specifications is null then title || ' does not define any launch specifications.'
    when exists (
      select 1
      from jsonb_array_elements(launch_specifications) spec,
           jsonb_array_elements(spec -> 'BlockDeviceMappings') bdm
      where (bdm -> 'Ebs' ->> 'Encrypted')::boolean = false
         or bdm -> 'Ebs' ->> 'Encrypted' is null
    )
      then title || ' has launch parameters with unencrypted EBS volumes.'
    else title || ' has all launch parameters with encrypted EBS volumes.'
  end as reason
  
  , region, account_id
from
  aws_ec2_spot_fleet_request;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_at_rest
foundational_security_item_id = ec2_173
plugin = aws
service = AWS/EC2