Ensure all data stored in the Launch configuration EBS is securely encrypted

Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling. When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.

Risk Level: High
Cloud Entity: AWS AutoScaling LaunchConfiguration
CloudGuard Rule ID: D9.CFT.CRY.21
Covered by Spectral: No
Category: Compute


AWS_AutoScaling_LaunchConfiguration should have BlockDeviceMappings contain [ Ebs.Encrypted=true ]


From CFT
Supply AWS::AutoScaling::LaunchConfiguration::BlockDeviceMappings::Ebs::Encrypted with Boolean value 'true'
See below example;

Type: AWS::AutoScaling::LaunchConfiguration
- DeviceName: /dev/sda1
Encrypted : true


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-autoscaling-launchconfiguration-blockdevice.html#cfn-autoscaling-launchconfiguration-blockdevice-encrypted

AWS AutoScaling LaunchConfiguration

The AWS::AutoScaling::LaunchConfiguration resource specifies the launch configuration that can be used by an Auto Scaling group to configure Amazon EC2 instances.When you update the launch configuration for an Auto Scaling group, CloudFormation deletes that resource and creates a new launch configuration with the updated properties and a new name. Existing instances are not affected. To update existing instances when you update the AWS::AutoScaling::LaunchConfiguration resource, you can specify an UpdatePolicy attribute for the group.

Compliance Frameworks

  • AWS CloudFormation ruleset