EFS Not Encrypted

  • Query id: 2ff8e83c-90e1-4d68-a300-6d652112e622
  • Query name: EFS Not Encrypted
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Elastic File System (EFS) must be encrypted
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Parameters:
    VPC:
        Type: String
        Description: The VPC identity
        Default: vpc-ID
    SubnetID1:
        Type: String
        Description: The subnet where to launch the service
        Default: subnet-ID
    SubnetID2:
        Type: String
        Description: the subnet where to Launch the service
        Default: subnet-ID
    SubnetID3:
        Type: String
        Description: The subnet where to launch the service
        Default: subnet-ID
    SubnetID4:
        Type: String
        Description: the subnet where to Launch the service
        Default: subnet-ID
Resources:
    EFSSecurityGroup:
        Type: "AWS::EC2::SecurityGroup"
        Properties:
            GroupDescription: "security group for the prod EFS"
            GroupName: "test-EFS-SG"
            VpcId: !Ref VPC
            SecurityGroupIngress:
              - SourceSecurityGroupId: sg-ID
                Description: "servers to connect to efs"
                FromPort: 2049
                IpProtocol: "tcp"
                ToPort: 2049
            Tags:
              - Key: Environment
                Value: prod
              - Key: Name
                Value: test-VPC-EFS-SG
              - Key: Project
                Value: ITEngineering
    EFSFileSystem01:
        Type: AWS::EFS::FileSystem
        Properties:
            BackupPolicy:
              Status: ENABLED
            Encrypted: false
            LifecyclePolicies:
              - TransitionToIA: AFTER_60_DAYS
            PerformanceMode: generalPurpose
            ThroughputMode: bursting
            FileSystemTags:
              - Key: Environment
                Value: prod
              - Key: Name
                Value: test-VPC-EFS
              - Key: Project
                Value: ITEngineering
    MountTarget1:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID1
    MountTarget2:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID2
    MountTarget3:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID3
    MountTarget4:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID4
Outputs:
  EFS:
    Description: The created EFS
    Value: !Ref EFSFileSystem01
  EFSMountTarget1:
    Description: The EFS MountTarget1
    Value: !Ref MountTarget1
  EFSMountTarget2:
    Description: The EFS MountTarget2
    Value: !Ref MountTarget2
  EFSMountTarget3:
    Description: The EFS MountTarget3
    Value: !Ref MountTarget3
  EFSMountTarget4:
    Description: The EFS MountTarget4
    Value: !Ref MountTarget4
Positive test num. 2 - json file
{
  "Description": "Create EFS system and Mount Targets for test VPC",
  "Parameters": {
    "VPC": {
      "Type": "String",
      "Description": "The VPC identity",
      "Default": "vpc-ID"
    },
    "SubnetID1": {
      "Description": "The subnet where to launch the service",
      "Default": "subnet-ID",
      "Type": "String"
    },
    "SubnetID2": {
      "Type": "String",
      "Description": "the subnet where to Launch the service",
      "Default": "subnet-ID"
    },
    "SubnetID3": {
      "Default": "subnet-ID",
      "Type": "String",
      "Description": "The subnet where to launch the service"
    },
    "SubnetID4": {
      "Description": "the subnet where to Launch the service",
      "Default": "subnet-ID",
      "Type": "String"
    }
  },
  "Resources": {
    "MountTarget3": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID3"
      }
    },
    "MountTarget4": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID4"
      }
    },
    "EFSSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "security group for the prod EFS",
        "GroupName": "test-EFS-SG",
        "VpcId": "VPC",
        "SecurityGroupIngress": [
          {
            "ToPort": 2049,
            "SourceSecurityGroupId": "sg-ID",
            "Description": "servers to connect to efs",
            "FromPort": 2049,
            "IpProtocol": "tcp"
          }
        ],
        "Tags": [
          {
            "Key": "Environment",
            "Value": "prod"
          },
          {
            "Key": "Name",
            "Value": "test-VPC-EFS-SG"
          },
          {
            "Key": "Project",
            "Value": "ITEngineering"
          }
        ]
      }
    },
    "EFSFileSystem01": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "BackupPolicy": {
          "Status": "ENABLED"
        },
        "Encrypted": false,
        "LifecyclePolicies": [
          {
            "TransitionToIA": "AFTER_60_DAYS"
          }
        ],
        "PerformanceMode": "generalPurpose",
        "ThroughputMode": "bursting",
        "FileSystemTags": [
          {
            "Value": "prod",
            "Key": "Environment"
          },
          {
            "Key": "Name",
            "Value": "test-VPC-EFS"
          },
          {
            "Key": "Project",
            "Value": "ITEngineering"
          }
        ]
      }
    },
    "MountTarget1": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID1"
      }
    },
    "MountTarget2": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "SubnetId": "SubnetID2",
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ]
      }
    }
  },
  "Outputs": {
    "EFS": {
      "Description": "The created EFS",
      "Value": "EFSFileSystem01"
    },
    "EFSMountTarget1": {
      "Description": "The EFS MountTarget1",
      "Value": "MountTarget1"
    },
    "EFSMountTarget2": {
      "Description": "The EFS MountTarget2",
      "Value": "MountTarget2"
    },
    "EFSMountTarget3": {
      "Description": "The EFS MountTarget3",
      "Value": "MountTarget3"
    },
    "EFSMountTarget4": {
      "Value": "MountTarget4",
      "Description": "The EFS MountTarget4"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Parameters:
    VPC:
        Type: String
        Description: The VPC identity
        Default: vpc-ID
    SubnetID1:
        Type: String
        Description: The subnet where to launch the service
        Default: subnet-ID
    SubnetID2:
        Type: String
        Description: the subnet where to Launch the service
        Default: subnet-ID
    SubnetID3:
        Type: String
        Description: The subnet where to launch the service
        Default: subnet-ID
    SubnetID4:
        Type: String
        Description: the subnet where to Launch the service
        Default: subnet-ID
Resources:
    EFSSecurityGroup:
        Type: "AWS::EC2::SecurityGroup"
        Properties:
            GroupDescription: "security group for the prod EFS"
            GroupName: "test-EFS-SG"
            VpcId: !Ref VPC
            SecurityGroupIngress:
              - SourceSecurityGroupId: sg-ID
                Description: "servers to connect to efs"
                FromPort: 2049
                IpProtocol: "tcp"
                ToPort: 2049
            Tags:
              - Key: Environment
                Value: prod
              - Key: Name
                Value: test-VPC-EFS-SG
              - Key: Project
                Value: ITEngineering
    EFSFileSystem:
        Type: AWS::EFS::FileSystem
        Properties:
            BackupPolicy:
              Status: ENABLED
            Encrypted: true
            LifecyclePolicies:
              - TransitionToIA: AFTER_60_DAYS
            PerformanceMode: generalPurpose
            ThroughputMode: bursting
            FileSystemTags:
              - Key: Environment
                Value: prod
              - Key: Name
                Value: test-VPC-EFS
              - Key: Project
                Value: ITEngineering
    MountTarget1:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID1
    MountTarget2:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID2
    MountTarget3:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID3
    MountTarget4:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID4
Outputs:
  EFS:
    Description: The created EFS
    Value: !Ref EFSFileSystem
  EFSMountTarget1:
    Description: The EFS MountTarget1
    Value: !Ref MountTarget1
  EFSMountTarget2:
    Description: The EFS MountTarget2
    Value: !Ref MountTarget2
  EFSMountTarget3:
    Description: The EFS MountTarget3
    Value: !Ref MountTarget3
  EFSMountTarget4:
    Description: The EFS MountTarget4
    Value: !Ref MountTarget4
Negative test num. 2 - json file
{
  "Resources": {
    "EFSFileSystem": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "BackupPolicy": {
          "Status": "ENABLED"
        },
        "Encrypted": true,
        "LifecyclePolicies": [
          {
            "TransitionToIA": "AFTER_60_DAYS"
          }
        ],
        "PerformanceMode": "generalPurpose",
        "ThroughputMode": "bursting",
        "FileSystemTags": [
          {
            "Value": "prod",
            "Key": "Environment"
          },
          {
            "Key": "Name",
            "Value": "test-VPC-EFS"
          },
          {
            "Key": "Project",
            "Value": "ITEngineering"
          }
        ]
      }
    },
    "MountTarget1": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID1"
      }
    },
    "MountTarget2": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID2",
        "FileSystemId": "EFSFileSystem"
      }
    },
    "MountTarget3": {
      "Properties": {
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID3",
        "FileSystemId": "EFSFileSystem"
      },
      "Type": "AWS::EFS::MountTarget"
    },
    "MountTarget4": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID4"
      }
    },
    "EFSSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "security group for the prod EFS",
        "GroupName": "test-EFS-SG",
        "VpcId": "VPC",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "ToPort": 2049,
            "SourceSecurityGroupId": "sg-ID",
            "Description": "servers to connect to efs",
            "FromPort": 2049
          }
        ],
        "Tags": [
          {
            "Key": "Environment",
            "Value": "prod"
          },
          {
            "Key": "Name",
            "Value": "test-VPC-EFS-SG"
          },
          {
            "Key": "Project",
            "Value": "ITEngineering"
          }
        ]
      }
    }
  },
  "Outputs": {
    "EFSMountTarget2": {
      "Value": "MountTarget2",
      "Description": "The EFS MountTarget2"
    },
    "EFSMountTarget3": {
      "Description": "The EFS MountTarget3",
      "Value": "MountTarget3"
    },
    "EFSMountTarget4": {
      "Description": "The EFS MountTarget4",
      "Value": "MountTarget4"
    },
    "EFS": {
      "Description": "The created EFS",
      "Value": "EFSFileSystem"
    },
    "EFSMountTarget1": {
      "Description": "The EFS MountTarget1",
      "Value": "MountTarget1"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create EFS system and Mount Targets for test VPC",
  "Parameters": {
    "VPC": {
      "Type": "String",
      "Description": "The VPC identity",
      "Default": "vpc-ID"
    },
    "SubnetID1": {
      "Default": "subnet-ID",
      "Type": "String",
      "Description": "The subnet where to launch the service"
    },
    "SubnetID2": {
      "Type": "String",
      "Description": "the subnet where to Launch the service",
      "Default": "subnet-ID"
    },
    "SubnetID3": {
      "Type": "String",
      "Description": "The subnet where to launch the service",
      "Default": "subnet-ID"
    },
    "SubnetID4": {
      "Type": "String",
      "Description": "the subnet where to Launch the service",
      "Default": "subnet-ID"
    }
  }
}