← all rules

iac/cloudformation/cfn-unencrypted-storage

Storage encryption disabled

mediumCloudFormationiac-cloudformation

What it detects

An explicit `StorageEncrypted: false` / `Encrypted: false` leaves data at rest unencrypted on RDS, EBS, or similar resources. Encryption at rest is free on AWS and expected by most compliance baselines.

Remediation

Set the encryption flag to `true` (and supply a KMS key where supported).

How it runs

Run against YAML/JSON files that look like CloudFormation templates (AWSTemplateFormatVersion, or Resources + an AWS:: type). Line-based checks; the security-group rule tracks ingress-vs-egress context. Non-template YAML/JSON is skipped.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.