Control: EC2 launch configuration EBS encryption should be enabled
Description
This control checks whether EC2 launch configurations have EBS encryption enabled.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.ec2_launch_configuration_ebs_encryption_checkSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.ec2_launch_configuration_ebs_encryption_check --shareSQL
This control uses a named query:
select address as resource, case when (attributes_std -> 'root_block_device') is not null and ((attributes_std -> 'root_block_device' ->> 'encrypted') = 'true' or (attributes_std -> 'root_block_device' ->> 'snapshot_id') is not null) and (((attributes_std -> 'ebs_block_device') is not null and ((attributes_std -> 'ebs_block_device' ->> 'encrypted') = 'true' or (attributes_std -> 'ebs_block_device' ->> 'snapshot_id') is not null)) or ((attributes_std -> 'ebs_block_device') is null)) then 'ok' else 'alarm' end as status, split_part(address, '.', 2) || case when (attributes_std -> 'root_block_device') is not null and ((attributes_std -> 'root_block_device' ->> 'encrypted') = 'true' or (attributes_std -> 'root_block_device' ->> 'snapshot_id') is not null) and (((attributes_std -> 'ebs_block_device') is not null and ((attributes_std -> 'ebs_block_device' ->> 'encrypted') = 'true' or (attributes_std -> 'ebs_block_device' ->> 'snapshot_id') is not null)) or ((attributes_std -> 'ebs_block_device') is null)) then ' is securely encrypted' else ' is not securely encrypted' end || '.' as reason , path || ':' || start_linefrom terraform_resourcewhere type = 'aws_launch_configuration';