Skip to content

aws-resource-unencrypted-at-rest

Ensure that all data stored in the managed service is securely encrypted at rest

The rule applies to the following resources, which each have slightly different parameters for configuring encryption:

Supported services

Athena

Secure examples

resource "aws_athena_database" "encrypted_athena_database" {
    bucket = "some-bucket"
    name = "encrypted"
    encryption_configuration {
        encryption_option = "SSE_S3"
    }
}

More information

Autoscaling Launch Configuration

Secure examples

resource "aws_launch_configuration" "some-config" {
    name                 = "launch-configuration"
    # Other configs...
    root_block_device {
        volume_type           = "standard"
        volume_size           = 100
        delete_on_termination = true
        encrypted             = false
    }
    ebs_block_device {
        device_name = "ebs-device"
        encrypted   = false
    }
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    AutoScalingConfig:
        Type: AWS::AutoScaling::LaunchConfiguration
        Properties:
            ImageId: ami-0ff8a91507f77f867
            SecurityGroups:
              - myExistingEC2SecurityGroup
            InstanceType: m1.small
            BlockDeviceMappings:
              - DeviceName: "/dev/sdk"
                  Ebs:
                  VolumeSize: 50
                  Encrypted: true
              - DeviceName: "/dev/sdf"
                  Ebs:
                  Encrypted: true

More information

CodeBuild Project

Secure examples

resource "aws_codebuild_project" "example" {
    name          = "test-project"
    description   = "test_codebuild_project"
    build_timeout = "5"
    service_role  = aws_iam_role.example.arn
    encryption_key = "" # Empty string -> AWS managed key
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    Project:
        Type: AWS::CodeBuild::Project
        Properties:
            Name: myProjectName
            # ... other attributes
            EncryptionKey: "" # Empty string --> AWS managed key

More information

DAX

Secure examples

resource "aws_dax_cluster" "test" {
    cluster_name = "tf-test-001"
    # ... other attribs
    server_side_encryption {
        enabled = true
    }
}
AWSTemplateFormatVersion: "2010-09-09"
Resources:
    daxCluster:
        Type: AWS::DAX::Cluster
        Properties:
            ClusterName: "MyDAXCluster"
            # ... other configs
            SSESpecification:
                SSEEnabled: true

More information

DocsDB

Secure examples

resource "aws_docdb_cluster" "encrypted_docdb" {
    storage_encrypted = true
    kms_key_id = "arn:aws:kms:us-east-1:000000000000:key/some-key-uuid"
}
AWSTemplateFormatVersion: "2010-09-09"
Resources: 
    myDBInstance: 
        Type: "AWS::DocDB::DBCluster"
        Properties: 
            KmsKeyId : "your-kms-key-id"
            StorageEncrypted : true
            #... other configs

More information

DynamoDB

Secure examples

resource "aws_dynamodb_table" "some-db" {
    name = "some-db"
    server_side_encryption {
        enabled = true # This is the default, so it can be omitted
    }
}

More information

EC2

Secure examples

resource "aws_instance" "web" {
    ami               = "ami-21f78e11"
    availability_zone = "us-west-2a"
    instance_type     = "t2.micro"
}

resource "aws_volume_attachment" "ok_attachment1" {
    device_name = "/dev/sdh3"
    volume_id   = aws_ebs_volume.ok_ebs2.id
    instance_id = aws_instance.web.id
}

resource "aws_ebs_volume" "ok_ebs2" {
    availability_zone = "..."
    encrypted = true
}

More information

EC2 EBS Volume

Secure examples

resource "aws_ebs_volume" "ok_ebs2" {
    availability_zone = "..."
    encrypted = true
}
AWSTemplateFormatVersion: "2010-09-09"
Resources: 
    NewVolume:
        Type: AWS::EC2::Volume
        Properties: 
            Size: 100
            Encrypted: true
            AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone
            Tags:
            - Key: MyTag
                Value: TagValue
        DeletionPolicy: Snapshot

More information

EFS

Secure examples

resource "aws_efs_file_system" "encrypted_file_system" {
  encrypted = true
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    FileSystemResource:
        Type: 'AWS::EFS::FileSystem'
        Properties:
            Encrypted: true
            KmsKeyId: !GetAtt 
                - Arn
                - some-key
            # ... Other attribs
    some-key:
        Type: AWS::KMS::Key
        Properties:
        KeyPolicy:
            Version: 2012-10-17
            Id: key-default-1
            Statement:
            - Sid: Allow administration of the key
                Effect: Allow
                Principal:
                AWS: !Join 
                    - ''
                    - - 'arn:aws:iam::'
                    - !Ref 'AWS::AccountId'
                    - ':root'
                Action:
                - 'kms:*'
                Resource: 
                - '*'

More information

EKS

Secure examples

resource "aws_eks_cluster" "enabled" {
    name     = "eks"
    # ... other attribs
    encryption_config {
        resources = ["secrets"]
        provider {
            key_arn = var.key_arn
        }
    }
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    myCluster:
        Type: 'AWS::EKS::Cluster'
        Properties:
            Name: prod
            Version: '1.14'
            RoleArn: >-
                arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
            ResourcesVpcConfig:
                SecurityGroupIds:
                  - sg-6979fe18
                SubnetIds:
                  - subnet-6782e71e
                  - subnet-e7e761ac
            EncryptionConfig:
                - Resources:
                  - secrets

More information

ElastiCache ReplicationGroup

Secure examples

resource "aws_elasticache_replication_group" "encrypted_replication_group" {
    replication_group_description = "nimtest replication group"
    replication_group_id = "nimtest"
    at_rest_encryption_enabled = true
    cluster_mode {
        num_node_groups = 0
        replicas_per_node_group = 0
    }
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    myReplicationGroup:
        Type: 'AWS::ElastiCache::ReplicationGroup'
        Properties:
            AtRestEncryptionEnabled: true
            ReplicationGroupDescription: my description
            NumCacheClusters: '2'
            Engine: redis
            CacheNodeType: cache.m3.medium    
            AutomaticFailoverEnabled: 'true'
            CacheSubnetGroupName: subnetgroup
            EngineVersion: 2.8.6
            PreferredMaintenanceWindow: 'wed:09:25-wed:22:30'
            SnapshotRetentionLimit: '4'
            SnapshotWindow: '03:30-05:30'

More information

Elasticsearch Domain

Secure examples

resource "aws_elasticsearch_domain" "encrypted_domain" {
    domain_name = "nimtest-encryption-test"
    encrypt_at_rest {
        enabled = true
    }
    node_to_node_encryption {
        enabled = true
    }
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    ElasticsearchDomain:
        Type: AWS::Elasticsearch::Domain
        Properties:
            DomainName: !Ref DomainName
            EncryptionAtRestOptions:
                Enabled: True

More information

Glue DataCatalogEncryptionSettings

Secure examples

resource "aws_glue_data_catalog_encryption_settings" "example" {
    data_catalog_encryption_settings {
        connection_password_encryption {
            aws_kms_key_id                       = aws_kms_key.test.arn
            return_connection_password_encrypted = true
        }

        encryption_at_rest {
            catalog_encryption_mode = "SSE-KMS"
            sse_aws_kms_key_id      = aws_kms_key.test.arn
        }
    }
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    Resource0:
        Type: 'AWS::Glue::DataCatalogEncryptionSettings'
        Properties:
            CatalogId: "CatalogId"
            DataCatalogEncryptionSettings:
                ConnectionPasswordEncryption:
                    KmsKeyId: "KmsKeyId"
                ReturnConnectionPasswordEncrypted: True
                EncryptionAtRest:
                    CatalogEncryptionMode: "SSE-KMS"
                    SseAwsKmsKeyId: "SseAwsKmsKeyId"

More information

Glue SecurityConfiguration

Secure examples

resource "aws_glue_security_configuration" "example" {
    name = "example"
    encryption_configuration {
        s3_encryption {
            kms_key_arn        = data.aws_kms_key.example.arn
            s3_encryption_mode = "SSE-KMS"
        }
    }
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    Resource0:
        Type: AWS::Glue::SecurityConfiguration
        Properties:
            Name: Name
            EncryptionConfiguration:
                S3Encryptions: 
                    KmsKeyArn: KmsKeyArn
                    S3EncryptionMode: SSE-KMS

More information

Neptune

Secure examples

resource "aws_neptune_cluster" "encrypted_neptune" {
    cluster_identifier = "encrypted-neptune"
    storage_encrypted = true
    # ... other attributes
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    NeptuneDBCluster:
        Type: "AWS::Neptune::DBCluster"
        Properties:
            # ... other attributes
            StorageEncrypted: true

More information

RDS

Secure examples

resource "aws_db_instance" "encrypted_instance" {
    # ... other attributes
    storage_encrypted = true
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    SomeDB:
        Type: 'AWS::RDS::DBCluster'
        Properties:
            StorageEncrypted: true

More information

Redshift

Secure examples

resource "aws_redshift_cluster" "encrypted_redshift_cluster" {
    # ... other attributes
    encrypted = true
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
    RedshiftClusterEnabled:
        Type: "AWS::Redshift::Cluster"
        Properties:
            DBName: "mydb"
            MasterUsername: "master"
            MasterUserPassword: "MasterUserPassword"
            NodeType: "ds2.xlarge"
            ClusterType: "single-node"
            Encrypted: true

More information