(ec2_ebs_encryption_by_default.guard): Does not do what it says

[mobri2a]

What is the problem?

This rule (ec2_ebs_encryption_by_default.guard does not check it EBS encryption is enabled by default, as this is not something that can be set in a Cloudformation template. See https://repost.aws/knowledge-center/ebs-automatic-encryption

The rule is actually checking if a VOLUME is encrypted, which is done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard

Remove this rule, as it is redundant and misleading.

Reproduction Steps

Run cfn-guard validate against test data for a volume with all amazon_ec2 rules. Note that both ec2_ebs_encryption_by_default and encrypted_volumes return findings. Dig deeper and realize the Encrypted=true is NOT the same thing as encryption by default.

What did you expect to happen?

Expected the account-level default for EBS encryption to be examined (as in the AWS Config rule), but this is not possible looking at a CloudFormation template.

What actually happened?

Rule actually checks if a volume is encrypted. This is already done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard

CloudFormation Guard Version

Not applicable

OS

Not applicable

OS Version

No response

Other information

Remove ec2_ebs_encryption_by_default from rules/aws/amazon_ec2