bug: EC2EBSVolumeEncrypted (AwsSolutions-EC26): Non compliant when no volumes are defined

[udondan]

What is the problem?

I have an ASG defined like so:

    const asg = new aws_autoscaling.AutoScalingGroup(this, 'asg', {
      ...
      machineImage: ami,
    });

The blockDevices property of the ASG contains this description:

@default

- Uses the block device mapping of the AMI

So my understanding is, that the volumes are encrypted when the AMI device mapping is encrypted. The AMI device indeed is encrypted and so is the volume of resulting EC2 instances of the ASG.

cdk-nag fails with

[Error at /StackName/asg/LaunchConfig] AwsSolutions-EC26: The resource creates one or more EBS volumes that have encryption disabled.

The source of this false positive is

cdk-nag/src/rules/ec2/EC2EBSVolumeEncrypted.ts

Lines 66 to 68 in 872fa0c

	if (blockDeviceMappings == undefined) {
	return NagRuleCompliance.NON_COMPLIANT;
	} else {

Is this intentional and am I supposed to suppress this? IMHO, when no volumes are defined, there should be nothing to complain about. At very least the error message should be adjusted and instead should point out, that this might be due to use of an AMI without specifically setting blockDevices.

Reproduction Steps

Create and ASG w/o blockDevices.

What did you expect to happen?

Validation pass

What actually happened?

Validation fails

[Error at /StackName/asg/LaunchConfig] AwsSolutions-EC26: The resource creates one or more EBS volumes that have encryption disabled.

cdk-nag version

2.27.129

Language

Typescript

Other information

No response

[dontirun]

Yes , this is intentional. If you don't explicitly set the root volume on the EC2 instance as encrypted, it will be unencrypted.

The documentation around this rule isn't great 😔, any suggestions?