Non-encrypted confidential information - EBS Volumes - Aws

Non-encrypted confidential information - EBS Volumes - Aws

Need

Secure encryption of confidential information stored in EBS volumes

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of aws-sdk for interacting with Amazon Web Services (AWS) services

Description

Non compliant code

        resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
  encrypted         = false
}

The above Terraform code describes an AWS EBS volume resource named "example". The volume is created with a size of 40 GiB in the "us-west-2a" availability zone.

The vulnerability lies in the encrypted attribute, which is set to false. This means that the EBS volume is not encrypted, and any data stored on this volume is not protected at rest. If an attacker gains access to this volume, they can potentially read sensitive data without any restrictions.

In AWS, EBS volumes can store data for any instance that is attached to them. This data can include user data, application data, and also system data pertaining to the instance. The lack of encryption on this EBS volume means all this data is at risk.

AWS provides the ability to encrypt EBS volumes to add an additional layer of security to your data at rest. The encryption occurs on the servers that host EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage.

Steps

  • Identify all the EBS volumes in your infrastructure that are not encrypted
  • Update the configuration of each EBS volume to set the 'encrypted' property to 'true'
  • Verify that the 'encrypted' property is set to 'true' for all the EBS volumes
  • Re-deploy or update your infrastructure to apply the changes

Compliant code

        resource "aws_ebs_volume" "example" {
  availability_zone = "us-west-2a"
  size              = 40
  encrypted         = true
}

The above code is a fixed version of the vulnerable code. The vulnerability was that the EBS volume was not encrypted, which could potentially allow an attacker to read sensitive information regarding the launch configuration of EC2 Instances.

In the fixed code, the encrypted property of the aws_ebs_volume resource is set to true. This means that the EBS volume will be encrypted, preventing unauthorized access to the data it contains.

The availability_zone and size properties remain the same as in the original code. The availability_zone property specifies the AWS availability zone in which the EBS volume is to be created, and the size property specifies the size of the EBS volume in GiBs.

After updating the code, you should re-deploy or update your infrastructure to apply the changes. You should also verify that the encrypted property is set to true for all the EBS volumes in your infrastructure.

References