The rule is actually checking if a VOLUME is encrypted, which is done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard
Remove this rule, as it is redundant and misleading.
Reproduction Steps
Run cfn-guard validate against test data for a volume with all amazon_ec2 rules. Note that both ec2_ebs_encryption_by_default and encrypted_volumes return findings. Dig deeper and realize the Encrypted=true is NOT the same thing as encryption by default.
What did you expect to happen?
Expected the account-level default for EBS encryption to be examined (as in the AWS Config rule), but this is not possible looking at a CloudFormation template.
What actually happened?
Rule actually checks if a volume is encrypted. This is already done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard
CloudFormation Guard Version
Not applicable
OS
Not applicable
OS Version
No response
Other information
Remove ec2_ebs_encryption_by_default from rules/aws/amazon_ec2
What is the problem?
This rule (ec2_ebs_encryption_by_default.guard does not check it EBS encryption is enabled by default, as this is not something that can be set in a Cloudformation template. See https://repost.aws/knowledge-center/ebs-automatic-encryption
The rule is actually checking if a VOLUME is encrypted, which is done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard
Remove this rule, as it is redundant and misleading.
Reproduction Steps
Run cfn-guard validate against test data for a volume with all amazon_ec2 rules. Note that both ec2_ebs_encryption_by_default and encrypted_volumes return findings. Dig deeper and realize the Encrypted=true is NOT the same thing as encryption by default.
What did you expect to happen?
Expected the account-level default for EBS encryption to be examined (as in the AWS Config rule), but this is not possible looking at a CloudFormation template.
What actually happened?
Rule actually checks if a volume is encrypted. This is already done more effectively by rules/aws/amazon_ec2/encrypted_volumes.guard
CloudFormation Guard Version
Not applicable
OS
Not applicable
OS Version
No response
Other information
Remove ec2_ebs_encryption_by_default from rules/aws/amazon_ec2