Check EBS volume encryption with AWS Go SDK

[EC2.3] Attached EBS volumes should be encrypted at-rest

aws configure --profile <profilename>
package mainfunc main(){//you can add more regions in the slice below//I just wanted data from the two regions belowreg := []string{"us-west-2", "eu-west-1"}
for _, r := range reg {
/*call func AssessEncryption with the region of interest to
get encryption status of resources*/
//Note assessencryption is just another package separate from main //Package encryption has an exported function AssessEncryption
//We are passing the region and the aws profile to the exported
//function AssessEncryption
assessencryption.AssessEncryption(r, "my-aws-profile")
}
package assessencryptionimport (
"fmt"
"log"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ec2"
)
//Below is a struct where we want to store details for an EBS volume //that are of interest to us.
//Volume ID for the EBS volume
//Availability Zone for the EBS volume
//Encrypted : True or False
//In Use: Whether the EBS volume is in use
type ebsVolume struct {
volumeID string
az string
encrypted bool
inusestate string
}
//AssessEncryption assesses EBS volume encryption detailsfunc AssessEncryption(region string, awsProfile string) {volumes := []ebsVolume{} //volumes is a slice of type ebsVolume //create a session with the region and the aws profile
svc := ec2.New(session.New(&aws.Config{Region:
aws.String(region), Credentials:
credentials.NewSharedCredentials("", awsProfile)}))
//initialize a variable ebsinput of type DescribeVolumesInput{} from //the ec2 package. This is part of the aws sdk for go ebsinput := &ec2.DescribeVolumesInput{}//call getvolumes that we will write with the following parameters//getVolumes will return a slice of type ebsVolume for each region
volumeresult := getVolumes(ebsinput, svc, volumes)
fmt.Printf("Total EBS volumes in Region: %v is %v\n", region, len(volumeresult))

countUnencryptedEBS := 0
for _, ev := range volumeresult {
if ev.encrypted == false {
countUnencryptedEBS++
}
}
if len(volumeresult) > 0 {
fmt.Printf("Total Unencrypted EBS volumes in Region: %v is %v\n", region, countUnencryptedEBS)
percent := float64(countUnencryptedEBS) / float64(len(volumeresult)) * 100
fmt.Printf("Percentage of Unencrypted EBS volumes in Region: %v is %.2f\n", region, percent)
}
}
func getVolumes(ebsinput *ec2.DescribeVolumesInput, svc *ec2.EC2, vol []ebsVolume) []ebsVolume { ebsoutput, err := svc.DescribeVolumes(ebsinput)
if err != nil {
log.Fatal("Error occurred")
}
//if there is at least one EBS volume in the region //we will extract the details of the volume and store it in a new //variable of type ebsVolume and append to the slice vol if len(ebsoutput.Volumes) > 0 {
for _, v := range ebsoutput.Volumes {
e := ebsVolume{}
e.volumeID = *v.VolumeId
e.az = *v.AvailabilityZone
e.encrypted = *v.Encrypted
e.inusestate = *v.State
vol = append(vol, e)
}
//AWS will send a NextToken string in case there are more results
//NextToken is nil if there are no more results
if ebsoutput.NextToken != nil {
ebsinput.SetNextToken(*ebsoutput.NextToken)
//recursively call getVolumes until NextToken is nil //this recursive call is to paginate the response
getVolumes(ebsinput, svc, vol)
}
}
return vol
}
Total EBS volumes in Region: us-west-2 is 1000Total Unencrypted EBS volumes in Region: us-west-2 is 100Percentage of Unencrypted EBS volumes in Region: us-west-2 is 10.00Total EBS volumes in Region: eu-west-1 is 1000Total Unencrypted EBS volumes in Region: eu-west-1 is 200Percentage of Unencrypted EBS volumes in Region: eu-west-1 is 20.00

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store