aws-resource-unencrypted-at-rest¶
Ensure that all data stored in the managed service is securely encrypted at rest
The rule applies to the following resources, which each have slightly different parameters for configuring encryption:
Supported services¶
Athena¶
Secure examples¶
resource "aws_athena_database" "encrypted_athena_database" {
bucket = "some-bucket"
name = "encrypted"
encryption_configuration {
encryption_option = "SSE_S3"
}
}
More information¶
Autoscaling Launch Configuration¶
Secure examples¶
resource "aws_launch_configuration" "some-config" {
name = "launch-configuration"
# Other configs...
root_block_device {
volume_type = "standard"
volume_size = 100
delete_on_termination = true
encrypted = false
}
ebs_block_device {
device_name = "ebs-device"
encrypted = false
}
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
AutoScalingConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: ami-0ff8a91507f77f867
SecurityGroups:
- myExistingEC2SecurityGroup
InstanceType: m1.small
BlockDeviceMappings:
- DeviceName: "/dev/sdk"
Ebs:
VolumeSize: 50
Encrypted: true
- DeviceName: "/dev/sdf"
Ebs:
Encrypted: true
More information¶
CodeBuild Project¶
Secure examples¶
resource "aws_codebuild_project" "example" {
name = "test-project"
description = "test_codebuild_project"
build_timeout = "5"
service_role = aws_iam_role.example.arn
encryption_key = "" # Empty string -> AWS managed key
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
Project:
Type: AWS::CodeBuild::Project
Properties:
Name: myProjectName
# ... other attributes
EncryptionKey: "" # Empty string --> AWS managed key
More information¶
- Terraform docs on encryption
- You can simply set the
encryption_key
attribute to an empty string""
and AWS will use a managed key for the encryption.
- You can simply set the
- CloudFormation docs on encryption
DAX¶
Secure examples¶
resource "aws_dax_cluster" "test" {
cluster_name = "tf-test-001"
# ... other attribs
server_side_encryption {
enabled = true
}
}
AWSTemplateFormatVersion: "2010-09-09"
Resources:
daxCluster:
Type: AWS::DAX::Cluster
Properties:
ClusterName: "MyDAXCluster"
# ... other configs
SSESpecification:
SSEEnabled: true
More information¶
DocsDB¶
Secure examples¶
resource "aws_docdb_cluster" "encrypted_docdb" {
storage_encrypted = true
kms_key_id = "arn:aws:kms:us-east-1:000000000000:key/some-key-uuid"
}
AWSTemplateFormatVersion: "2010-09-09"
Resources:
myDBInstance:
Type: "AWS::DocDB::DBCluster"
Properties:
KmsKeyId : "your-kms-key-id"
StorageEncrypted : true
#... other configs
More information¶
DynamoDB¶
Secure examples¶
resource "aws_dynamodb_table" "some-db" {
name = "some-db"
server_side_encryption {
enabled = true # This is the default, so it can be omitted
}
}
More information¶
EC2¶
Secure examples¶
resource "aws_instance" "web" {
ami = "ami-21f78e11"
availability_zone = "us-west-2a"
instance_type = "t2.micro"
}
resource "aws_volume_attachment" "ok_attachment1" {
device_name = "/dev/sdh3"
volume_id = aws_ebs_volume.ok_ebs2.id
instance_id = aws_instance.web.id
}
resource "aws_ebs_volume" "ok_ebs2" {
availability_zone = "..."
encrypted = true
}
More information¶
EC2 EBS Volume¶
Secure examples¶
resource "aws_ebs_volume" "ok_ebs2" {
availability_zone = "..."
encrypted = true
}
AWSTemplateFormatVersion: "2010-09-09"
Resources:
NewVolume:
Type: AWS::EC2::Volume
Properties:
Size: 100
Encrypted: true
AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
Tags:
- Key: MyTag
Value: TagValue
DeletionPolicy: Snapshot
More information¶
EFS¶
Secure examples¶
resource "aws_efs_file_system" "encrypted_file_system" {
encrypted = true
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
FileSystemResource:
Type: 'AWS::EFS::FileSystem'
Properties:
Encrypted: true
KmsKeyId: !GetAtt
- Arn
- some-key
# ... Other attribs
some-key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Allow administration of the key
Effect: Allow
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':root'
Action:
- 'kms:*'
Resource:
- '*'
More information¶
EKS¶
Secure examples¶
resource "aws_eks_cluster" "enabled" {
name = "eks"
# ... other attribs
encryption_config {
resources = ["secrets"]
provider {
key_arn = var.key_arn
}
}
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
myCluster:
Type: 'AWS::EKS::Cluster'
Properties:
Name: prod
Version: '1.14'
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
ResourcesVpcConfig:
SecurityGroupIds:
- sg-6979fe18
SubnetIds:
- subnet-6782e71e
- subnet-e7e761ac
EncryptionConfig:
- Resources:
- secrets
More information¶
ElastiCache ReplicationGroup¶
Secure examples¶
resource "aws_elasticache_replication_group" "encrypted_replication_group" {
replication_group_description = "nimtest replication group"
replication_group_id = "nimtest"
at_rest_encryption_enabled = true
cluster_mode {
num_node_groups = 0
replicas_per_node_group = 0
}
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
myReplicationGroup:
Type: 'AWS::ElastiCache::ReplicationGroup'
Properties:
AtRestEncryptionEnabled: true
ReplicationGroupDescription: my description
NumCacheClusters: '2'
Engine: redis
CacheNodeType: cache.m3.medium
AutomaticFailoverEnabled: 'true'
CacheSubnetGroupName: subnetgroup
EngineVersion: 2.8.6
PreferredMaintenanceWindow: 'wed:09:25-wed:22:30'
SnapshotRetentionLimit: '4'
SnapshotWindow: '03:30-05:30'
More information¶
Elasticsearch Domain¶
Secure examples¶
resource "aws_elasticsearch_domain" "encrypted_domain" {
domain_name = "nimtest-encryption-test"
encrypt_at_rest {
enabled = true
}
node_to_node_encryption {
enabled = true
}
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: !Ref DomainName
EncryptionAtRestOptions:
Enabled: True
More information¶
Glue DataCatalogEncryptionSettings¶
Secure examples¶
resource "aws_glue_data_catalog_encryption_settings" "example" {
data_catalog_encryption_settings {
connection_password_encryption {
aws_kms_key_id = aws_kms_key.test.arn
return_connection_password_encrypted = true
}
encryption_at_rest {
catalog_encryption_mode = "SSE-KMS"
sse_aws_kms_key_id = aws_kms_key.test.arn
}
}
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
Resource0:
Type: 'AWS::Glue::DataCatalogEncryptionSettings'
Properties:
CatalogId: "CatalogId"
DataCatalogEncryptionSettings:
ConnectionPasswordEncryption:
KmsKeyId: "KmsKeyId"
ReturnConnectionPasswordEncrypted: True
EncryptionAtRest:
CatalogEncryptionMode: "SSE-KMS"
SseAwsKmsKeyId: "SseAwsKmsKeyId"
More information¶
Glue SecurityConfiguration¶
Secure examples¶
resource "aws_glue_security_configuration" "example" {
name = "example"
encryption_configuration {
s3_encryption {
kms_key_arn = data.aws_kms_key.example.arn
s3_encryption_mode = "SSE-KMS"
}
}
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
Resource0:
Type: AWS::Glue::SecurityConfiguration
Properties:
Name: Name
EncryptionConfiguration:
S3Encryptions:
KmsKeyArn: KmsKeyArn
S3EncryptionMode: SSE-KMS
More information¶
Neptune¶
Secure examples¶
resource "aws_neptune_cluster" "encrypted_neptune" {
cluster_identifier = "encrypted-neptune"
storage_encrypted = true
# ... other attributes
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
NeptuneDBCluster:
Type: "AWS::Neptune::DBCluster"
Properties:
# ... other attributes
StorageEncrypted: true
More information¶
RDS¶
Secure examples¶
resource "aws_db_instance" "encrypted_instance" {
# ... other attributes
storage_encrypted = true
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
SomeDB:
Type: 'AWS::RDS::DBCluster'
Properties:
StorageEncrypted: true
More information¶
Redshift¶
Secure examples¶
resource "aws_redshift_cluster" "encrypted_redshift_cluster" {
# ... other attributes
encrypted = true
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
RedshiftClusterEnabled:
Type: "AWS::Redshift::Cluster"
Properties:
DBName: "mydb"
MasterUsername: "master"
MasterUserPassword: "MasterUserPassword"
NodeType: "ds2.xlarge"
ClusterType: "single-node"
Encrypted: true