EFS Without KMS

  • Query id: bd77554e-f138-40c5-91b2-2a09f878608e
  • Query name: EFS Without KMS
  • Platform: Ansible
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: no
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: yes
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]
    kms_key_id: "some-key-id"