diff --git a/aws/terraform/abstract/aws-instance/expected/main.tf b/aws/terraform/abstract/aws-instance/expected/main.tf
new file mode 100644
index 0000000..fe3332d
--- /dev/null
+++ b/aws/terraform/abstract/aws-instance/expected/main.tf
@@ -0,0 +1,14 @@
+resource "aws_instance" "example" {
+  ami           = "ami-0c55b159cbfafe1f0"
+  instance_type = "t3.medium"
+
+  ebs_block_device {
+    device_name = "/dev/xvda"
+
+    encrypted = true
+  }
+
+  root_block_device {
+    encrypted = true
+  }
+}
diff --git a/aws/terraform/abstract/aws-instance/gomboc.yaml b/aws/terraform/abstract/aws-instance/gomboc.yaml
new file mode 100644
index 0000000..e5970c9
--- /dev/null
+++ b/aws/terraform/abstract/aws-instance/gomboc.yaml
@@ -0,0 +1,16 @@
+# yaml-language-server: $schema=../../../../gomboc-schema/test-case.yaml
+
+name: Encrypt aws instance data at rest
+
+provider: AWS
+iac:
+  language: terraform
+  version: v1.5.8
+
+canBeApplied: false
+
+benchmarkRecommendations:
+  - id: gomboc-ai/cis/controls_8-1-2/3_data_protection/3-11_encrypt_sensitive_data_at_rest
+    name: CIS - Controls 8.1.2 - 3 Data Protection - 3.11 Encrypt Sensitive Data at Rest
+    benchmark: CIS Amazon Web Services Foundations Benchmark
+    benchmarkVersion: v8.1.2
diff --git a/aws/terraform/abstract/aws-instance/main.tf b/aws/terraform/abstract/aws-instance/main.tf
new file mode 100644
index 0000000..23a3dd9
--- /dev/null
+++ b/aws/terraform/abstract/aws-instance/main.tf
@@ -0,0 +1,8 @@
+resource "aws_instance" "example" {
+  ami           = "ami-0c55b159cbfafe1f0"
+  instance_type = "t3.medium"
+
+  ebs_block_device {
+    device_name = "/dev/xvda"
+  }
+}