You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The rule is actually checking if a VOLUME is encrypted, which is done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard
Remove this rule, as it is redundant and misleading.
Reproduction Steps
Run cfn-guard validate against test data for a volume with all amazon_ec2 rules. Note that both ec2_ebs_encryption_by_default and encrypted_volumes return findings. Dig deeper and realize the Encrypted=true is NOT the same thing as encryption by default.
What did you expect to happen?
Expected the account-level default for EBS encryption to be examined (as in the AWS Config rule), but this is not possible looking at a CloudFormation template.
What actually happened?
Rule actually checks if a volume is encrypted. This is already done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard
CloudFormation Guard Version
Not applicable
OS
Not applicable
OS Version
No response
Other information
Remove ec2_ebs_encryption_by_default from rules/aws/amazon_ec2
The text was updated successfully, but these errors were encountered:
What is the problem?
This rule (ec2_ebs_encryption_by_default.guard does not check it EBS encryption is enabled by default, as this is not something that can be set in a Cloudformation template. See https://repost.aws/knowledge-center/ebs-automatic-encryption
The rule is actually checking if a VOLUME is encrypted, which is done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard
Remove this rule, as it is redundant and misleading.
Reproduction Steps
Run cfn-guard validate against test data for a volume with all amazon_ec2 rules. Note that both ec2_ebs_encryption_by_default and encrypted_volumes return findings. Dig deeper and realize the Encrypted=true is NOT the same thing as encryption by default.
What did you expect to happen?
Expected the account-level default for EBS encryption to be examined (as in the AWS Config rule), but this is not possible looking at a CloudFormation template.
What actually happened?
Rule actually checks if a volume is encrypted. This is already done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard
CloudFormation Guard Version
Not applicable
OS
Not applicable
OS Version
No response
Other information
Remove ec2_ebs_encryption_by_default from rules/aws/amazon_ec2
The text was updated successfully, but these errors were encountered: