aws-guard-rules-registry icon indicating copy to clipboard operation
aws-guard-rules-registry copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

(ec2_ebs_encryption_by_default.guard): Does not do what it says

Open mobri2a opened this issue 8 months ago • 0 comments

What is the problem?

This rule (ec2_ebs_encryption_by_default.guard does not check it EBS encryption is enabled by default, as this is not something that can be set in a Cloudformation template. See https://repost.aws/knowledge-center/ebs-automatic-encryption

The rule is actually checking if a VOLUME is encrypted, which is done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard

Remove this rule, as it is redundant and misleading.

Reproduction Steps

Run cfn-guard validate against test data for a volume with all amazon_ec2 rules. Note that both ec2_ebs_encryption_by_default and encrypted_volumes return findings. Dig deeper and realize the Encrypted=true is NOT the same thing as encryption by default.

What did you expect to happen?

Expected the account-level default for EBS encryption to be examined (as in the AWS Config rule), but this is not possible looking at a CloudFormation template.

What actually happened?

Rule actually checks if a volume is encrypted. This is already done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard

CloudFormation Guard Version

Not applicable

OS

Not applicable

OS Version

No response

Other information

Remove ec2_ebs_encryption_by_default from rules/aws/amazon_ec2

mobri2a avatar Dec 19 '23 13:12 mobri2a