Will It Vibe logoWill It Vibe?
TF-006High severity-15 points

Unencrypted EBS volume or block device

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

encrypted = false leaves an EBS volume, block device, or root volume unencrypted at rest, so a snapshot or detached disk exposes its data.

Why it matters

encrypted = false leaves the EBS volume, root device, or snapshot data unencrypted on disk. A detached volume, a shared snapshot, or physical access to the storage then exposes everything on it in the clear. Encryption at rest costs nothing extra and is expected for any data-bearing volume.

How to fix it

Set encrypted = true on the volume or block device, and provide a kms_key_id to use a customer-managed key where you need auditable, revocable access. Enable EBS encryption by default at the account level so new volumes are covered automatically. Note that an existing unencrypted volume must be re-created or migrated via a snapshot copy to become encrypted.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks