Control: EC2 launch templates should enable encryption for attached EBS volumes
Description
This control checks whether an Amazon EC2 launch template enables encryption for all attached EBS volumes. The control fails if the encryption parameter is set to False for any EBS volumes specified by the EC2 launch template.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ec2_launch_template_ebs_volume_encryptedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ec2_launch_template_ebs_volume_encrypted --shareSQL
This control uses a named query:
select launch_template_id as resource, case when launch_template_data -> 'BlockDeviceMappings' is null or launch_template_data -> 'BlockDeviceMappings' = 'null' then 'skip' when jsonb_typeof(launch_template_data -> 'BlockDeviceMappings') <> 'array' then 'skip' when exists ( select 1 from jsonb_array_elements(launch_template_data -> 'BlockDeviceMappings') bdm where bdm -> 'Ebs' is not null and ( (bdm -> 'Ebs' ->> 'Encrypted')::boolean = false or bdm -> 'Ebs' ->> 'Encrypted' is null ) ) then 'alarm' else 'ok' end as status, case when launch_template_data -> 'BlockDeviceMappings' is null or launch_template_data -> 'BlockDeviceMappings' = 'null' then title || ' does not define any block device mappings.' when jsonb_typeof(launch_template_data -> 'BlockDeviceMappings') <> 'array' then title || ' block device mappings is not an array.' when exists ( select 1 from jsonb_array_elements(launch_template_data -> 'BlockDeviceMappings') bdm where bdm -> 'Ebs' is not null and ( (bdm -> 'Ebs' ->> 'Encrypted')::boolean = false or bdm -> 'Ebs' ->> 'Encrypted' is null ) ) then title || ' has unencrypted EBS volumes.' else title || ' has all EBS volumes encrypted.' end as reason , region, account_idfrom aws_ec2_launch_template_versionwhere default_version;