Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1612Benchmarks
682Queries
9Variables
GitHub

Control: 181 EC2 launch templates should enable encryption for attached EBS volumes

Description

This control checks whether an Amazon EC2 launch template enables encryption for all attached EBS volumes. The control fails if the encryption parameter is set to False for any EBS volumes specified by the EC2 launch template.

Amazon EBS encryption is a straightforward encryption solution for EBS resources that are associated with Amazon EC2 instances. With EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. EBS encryption uses AWS KMS keys when creating encrypted volumes and snapshots. Encryption operations occur on the servers that host EC2 instances, which helps ensure the security of data at rest and data in transit between an EC2 instance and its attached EBS storage. For more information, see Amazon EBS encryption in the Amazon EBS User Guide.

You can enable EBS encryption during manual launches of individual EC2 instances. However, there are several benefits to using EC2 launch templates and configuring encryption settings in those templates. You can enforce encryption as a standard and ensure the use of consistent encryption settings. You can also reduce the risk of error and security gaps that might occur with manual launches of instances.

Remediation

After you create an Amazon EC2 launch template, you can't modify it. However, you can create a new version of a launch template and change the encryption settings in that new version of the template. You can also specify the new version as the default version of the launch template. Then, if you launch an EC2 instance from a launch template and don't specify a template version, EC2 uses the settings of the default version when it launches the instance. For more information, see Modify a launch template in the Amazon EC2 User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_181

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_181 --share

SQL

This control uses a named query:

select
  launch_template_id as resource,
  case
    when launch_template_data -> 'BlockDeviceMappings' is null or launch_template_data -> 'BlockDeviceMappings' = 'null' then 'skip'
    when jsonb_typeof(launch_template_data -> 'BlockDeviceMappings') <> 'array' then 'skip'
    when exists (
      select 1
      from jsonb_array_elements(launch_template_data -> 'BlockDeviceMappings') bdm
      where bdm -> 'Ebs' is not null
        and (
          (bdm -> 'Ebs' ->> 'Encrypted')::boolean = false
          or bdm -> 'Ebs' ->> 'Encrypted' is null
        )
    ) then 'alarm'
    else 'ok'
  end as status,
  case
    when launch_template_data -> 'BlockDeviceMappings' is null or launch_template_data -> 'BlockDeviceMappings' = 'null' then title || ' does not define any block device mappings.'
    when jsonb_typeof(launch_template_data -> 'BlockDeviceMappings') <> 'array' then title || ' block device mappings is not an array.'
    when exists (
      select 1
      from jsonb_array_elements(launch_template_data -> 'BlockDeviceMappings') bdm
      where bdm -> 'Ebs' is not null
        and (
          (bdm -> 'Ebs' ->> 'Encrypted')::boolean = false
          or bdm -> 'Ebs' ->> 'Encrypted' is null
        )
    ) then title || ' has unencrypted EBS volumes.'
    else title || ' has all EBS volumes encrypted.'
  end as reason
  , region, account_id
from
  aws_ec2_launch_template_version
where
  default_version;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_at_rest
foundational_security_item_id = ec2_181
plugin = aws
service = AWS/EC2