ECS Task Definition Volume Not Encrypted
- Query id: 4d46ff3b-7160-41d1-a310-71d6d370b08f
- Query name: ECS Task Definition Volume Not Encrypted
- Platform: Terraform
- Severity: High
- Category: Encryption
- URL: Github
Description¶
Amazon ECS Task Definition does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
resource "aws_ecs_task_definition" "service" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.fs.id
root_directory = "/opt/data"
transit_encryption = "DISABLED"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point.test.id
iam = "ENABLED"
}
}
}
}
Postitive test num. 2 - tf file
resource "aws_ecs_task_definition" "service_2" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.fs.id
root_directory = "/opt/data"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point.test.id
iam = "ENABLED"
}
}
}
}
Postitive test num. 3 - tf file
resource "aws_ecs_task_definition" "service_2" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_ecs_task_definition" "service" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.fs.id
root_directory = "/opt/data"
transit_encryption = "ENABLED"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point.test.id
iam = "ENABLED"
}
}
}
}