Ensure that the root block device has encryption enabled

With Amazon EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. Also it ensures that the data is encrypted and rest and during transit from EBS to EC2.

Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.CFT.CRY.10
Covered by Spectral: Yes
Category: Compute


AWS_EC2_Instance should have BlockDeviceMappings contain-all [ Ebs.Encrypted='true' ]


From CFT
Set Ebs.Encrypted to true in BlockDeviceMappings array for resource AWS::EC2::Instance


  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  2. https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-root-volume-property/

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CloudFormation ruleset