🧠 AWS EBS Attached Volume is not encrypted with KMS CMK - prod.logic.yaml🟢
- Contextual name: 🧠 prod.logic.yaml🟢
- ID:
/ce/ca/aws/ec2/ebs-volume-cmk-encryption/prod.logic.yaml - Tags:
Uses
- 📗 AWS EBS Volume
- 🔌 AWS KMS Key - object.extracts.yaml
- 🔌 AWS EBS Volume - object.extracts.yaml
- 🧪 test-data.json
Test Results 🟢
Generated at: 2025-12-27T12:01:47.513902911Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| 🟢 | 001 | ✔️ 99 | ✔️ isDisappeared(CA10__disappearanceTime__c) | ✔️ null |
| 🟢 | 002 | ✔️ 199 | ✔️ extract('CA10__status__c') != 'in-use' | ✔️ null |
| 🟢 | 003 | ✔️ 299 | ✔️ not(extract('CA10__encrypted__c')) | ✔️ null |
| 🟢 | 004 | ✔️ 399 | ✔️ isEmptyLookup('CA10__kmsKey__r') | ✔️ null |
| 🟢 | 005 | ✔️ 499 | ✔️ extract('CA10__kmsKey__r.CA10__manager__c') != 'CUSTOMER' | ✔️ null |
| 🟢 | 006 | ✔️ 599 | ✔️ extract('CA10__encrypted__c') == true && extract('CA10__kmsKey__r.CA10__manager__c') == 'CUSTOMER' | ✔️ null |
Generation Bundle
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/ec2/ebs-volume-cmk-encryption/policy.yaml | 7E78E433E128D19C27D64F674C759DEC |
| Open | /ce/ca/aws/ec2/ebs-volume-cmk-encryption/prod.logic.yaml | B50ACD42DD77637117706336F1FEA298 |
| Open | /ce/ca/aws/ec2/ebs-volume-cmk-encryption/test-data.json | 10DA11C3D8E13162A2D7E6F8496118BF |
| Open | /types/CA10__CaAwsKmsKey__c/object.extracts.yaml | EC6D0EFD0BFEAB3447A84529724D4AFE |
| Open | /types/CA10__CaAwsVolume__c/object.extracts.yaml | D98F19A3E57995D503E82126277DD66A |
Available Commands
repo-manager policies generate FULL /ce/ca/aws/ec2/ebs-volume-cmk-encryption/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/ec2/ebs-volume-cmk-encryption/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/ec2/ebs-volume-cmk-encryption/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/ec2/ebs-volume-cmk-encryption/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/ec2/ebs-volume-cmk-encryption/prod.logic.yaml
Content
inputType: "CA10__CaAwsVolume__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAwsVolume__c/object.extracts.yaml"
- file: "/types/CA10__CaAwsKmsKey__c/object.extracts.yaml"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This policy only applies to attached EBS volumes. This volume is not attached."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__status__c"
right:
TEXT: "in-use"
- status: "INAPPLICABLE"
currentStateMessage: "The EBS volume is not encrypted. This is addressed in 'ebs-volume-encryption' policy"
check:
NOT:
arg:
EXTRACT: "CA10__encrypted__c"
- status: "INCOMPLIANT"
currentStateMessage: "The attached EBS volume is not encrypted using a KMS key."
remediationMessage: "Enable KMS customer-managed key encryption for the volume."
check:
IS_EMPTY_LOOKUP: CA10__kmsKey__r
- status: "INCOMPLIANT"
currentStateMessage: "The attached EBS volume is not encrypted using a KMS customer-managed keys."
remediationMessage: "Enable KMS customer-managed keys encryption for the volume."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__kmsKey__r.CA10__manager__c"
right:
TEXT: 'CUSTOMER'
- status: "COMPLIANT"
currentStateMessage: "The attached EBS volume is encrypted using a KMS customer-managed key."
check:
AND:
args:
- IS_EQUAL:
left:
EXTRACT: "CA10__encrypted__c"
right:
BOOLEAN: true
- IS_EQUAL:
left:
EXTRACT: "CA10__kmsKey__r.CA10__manager__c"
right:
TEXT: 'CUSTOMER'
otherwise:
status: "UNDETERMINED"
currentStateMessage: "Unexpected values in the field."