EFS Without KMS
- Query id: 6d087495-2a42-4735-abf7-02ef5660a7e6
- Query name: EFS Without KMS
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Parameters:
VPC:
Type: String
Description: The VPC identity
Default: vpc-ID
SubnetID1:
Type: String
Description: The subnet where to launch the service
Default: subnet-ID
SubnetID2:
Type: String
Description: the subnet where to Launch the service
Default: subnet-ID
SubnetID3:
Type: String
Description: The subnet where to launch the service
Default: subnet-ID
SubnetID4:
Type: String
Description: the subnet where to Launch the service
Default: subnet-ID
Resources:
EFSKMSKey:
Type: AWS::KMS::Key
Properties:
Description: "An example CMK with KMS"
KeyPolicy:
Version: "2012-10-17"
Id: "efs-default-key1"
Statement:
- Sid: "Allow administration of the key"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::999999999999:user/roger"
Action:
- "kms:Create*"
- "kms:Describe*"
- "kms:Enable*"
- "kms:List*"
- "kms:Put*"
- "kms:Update*"
- "kms:Revoke*"
- "kms:Disable*"
- "kms:Get*"
- "kms:Delete*"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
Resource: "*"
- Sid: "Allow use of the key"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::999999999999:user/roger"
Action:
- "kms:DescribeKey"
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey"
- "kms:GenerateDataKeyWithoutPlaintext"
Resource: "*"
EFSSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "security group for the prod EFS"
GroupName: "test-EFS-SG"
VpcId: !Ref VPC
SecurityGroupIngress:
- SourceSecurityGroupId: sg-ID
Description: "servers to connect to efs"
FromPort: 2049
IpProtocol: "tcp"
ToPort: 2049
Tags:
- Key: Environment
Value: prod
- Key: Name
Value: test-VPC-EFS-SG
- Key: Project
Value: ITEngineering
EFSFileSystem01:
Type: AWS::EFS::FileSystem
Properties:
BackupPolicy:
Status: ENABLED
Encrypted: false
LifecyclePolicies:
- TransitionToIA: AFTER_60_DAYS
PerformanceMode: generalPurpose
ThroughputMode: bursting
FileSystemTags:
- Key: Environment
Value: prod
- Key: Name
Value: test-VPC-EFS
- Key: Project
Value: ITEngineering
MountTarget1:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID1
MountTarget2:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID2
MountTarget3:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID3
MountTarget4:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID4
Outputs:
EFS:
Description: The created EFS
Value: !Ref EFSFileSystem01
EFSMountTarget1:
Description: The EFS MountTarget1
Value: !Ref MountTarget1
EFSMountTarget2:
Description: The EFS MountTarget2
Value: !Ref MountTarget2
EFSMountTarget3:
Description: The EFS MountTarget3
Value: !Ref MountTarget3
EFSMountTarget4:
Description: The EFS MountTarget4
Value: !Ref MountTarget4
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create EFS system and Mount Targets for test VPC",
"Parameters": {
"VPC": {
"Type": "String",
"Description": "The VPC identity",
"Default": "vpc-ID"
},
"SubnetID1": {
"Type": "String",
"Description": "The subnet where to launch the service",
"Default": "subnet-ID"
},
"SubnetID2": {
"Default": "subnet-ID",
"Type": "String",
"Description": "the subnet where to Launch the service"
},
"SubnetID3": {
"Description": "The subnet where to launch the service",
"Default": "subnet-ID",
"Type": "String"
},
"SubnetID4": {
"Type": "String",
"Description": "the subnet where to Launch the service",
"Default": "subnet-ID"
}
},
"Resources": {
"MountTarget1": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID1"
}
},
"MountTarget2": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID2"
}
},
"MountTarget3": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID3"
}
},
"MountTarget4": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID4"
}
},
"EFSKMSKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "An example CMK with KMS",
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "efs-default-key1",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:user/roger"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*",
"Sid": "Allow administration of the key"
},
{
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:user/roger"
}
}
]
}
}
},
"EFSSecurityGroup": {
"Properties": {
"SecurityGroupIngress": [
{
"SourceSecurityGroupId": "sg-ID",
"Description": "servers to connect to efs",
"FromPort": 2049,
"IpProtocol": "tcp",
"ToPort": 2049
}
],
"Tags": [
{
"Key": "Environment",
"Value": "prod"
},
{
"Value": "test-VPC-EFS-SG",
"Key": "Name"
},
{
"Key": "Project",
"Value": "ITEngineering"
}
],
"GroupDescription": "security group for the prod EFS",
"GroupName": "test-EFS-SG",
"VpcId": "VPC"
},
"Type": "AWS::EC2::SecurityGroup"
},
"EFSFileSystem01": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"LifecyclePolicies": [
{
"TransitionToIA": "AFTER_60_DAYS"
}
],
"PerformanceMode": "generalPurpose",
"ThroughputMode": "bursting",
"FileSystemTags": [
{
"Key": "Environment",
"Value": "prod"
},
{
"Key": "Name",
"Value": "test-VPC-EFS"
},
{
"Key": "Project",
"Value": "ITEngineering"
}
],
"BackupPolicy": {
"Status": "ENABLED"
},
"Encrypted": false
}
}
},
"Outputs": {
"EFSMountTarget2": {
"Description": "The EFS MountTarget2",
"Value": "MountTarget2"
},
"EFSMountTarget3": {
"Description": "The EFS MountTarget3",
"Value": "MountTarget3"
},
"EFSMountTarget4": {
"Value": "MountTarget4",
"Description": "The EFS MountTarget4"
},
"EFS": {
"Description": "The created EFS",
"Value": "EFSFileSystem01"
},
"EFSMountTarget1": {
"Description": "The EFS MountTarget1",
"Value": "MountTarget1"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Parameters:
VPC:
Type: String
Description: The VPC identity
Default: vpc-ID
SubnetID1:
Type: String
Description: The subnet where to launch the service
Default: subnet-ID
SubnetID2:
Type: String
Description: the subnet where to Launch the service
Default: subnet-ID
SubnetID3:
Type: String
Description: The subnet where to launch the service
Default: subnet-ID
SubnetID4:
Type: String
Description: the subnet where to Launch the service
Default: subnet-ID
Resources:
EFSKMSKey:
Type: AWS::KMS::Key
Properties:
Description: "An example CMK with KMS"
KeyPolicy:
Version: "2012-10-17"
Id: "efs-default-key1"
Statement:
- Sid: "Allow administration of the key"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::999999999999:user/roger"
Action:
- "kms:Create*"
- "kms:Describe*"
- "kms:Enable*"
- "kms:List*"
- "kms:Put*"
- "kms:Update*"
- "kms:Revoke*"
- "kms:Disable*"
- "kms:Get*"
- "kms:Delete*"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
Resource: "*"
- Sid: "Allow use of the key"
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::999999999999:user/roger"
Action:
- "kms:DescribeKey"
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey"
- "kms:GenerateDataKeyWithoutPlaintext"
Resource: "*"
EFSSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "security group for the prod EFS"
GroupName: "test-EFS-SG"
VpcId: !Ref VPC
SecurityGroupIngress:
- SourceSecurityGroupId: sg-ID
Description: "servers to connect to efs"
FromPort: 2049
IpProtocol: "tcp"
ToPort: 2049
Tags:
- Key: Environment
Value: prod
- Key: Name
Value: test-VPC-EFS-SG
- Key: Project
Value: ITEngineering
EFSFileSystem01:
Type: AWS::EFS::FileSystem
Properties:
BackupPolicy:
Status: ENABLED
Encrypted: false
KmsKeyId: !Ref EFSKMSKey
LifecyclePolicies:
- TransitionToIA: AFTER_60_DAYS
PerformanceMode: generalPurpose
ThroughputMode: bursting
FileSystemTags:
- Key: Environment
Value: prod
- Key: Name
Value: test-VPC-EFS
- Key: Project
Value: ITEngineering
MountTarget1:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID1
MountTarget2:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID2
MountTarget3:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID3
MountTarget4:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID4
Outputs:
EFS:
Description: The created EFS
Value: !Ref EFSFileSystem01
EFSMountTarget1:
Description: The EFS MountTarget1
Value: !Ref MountTarget1
EFSMountTarget2:
Description: The EFS MountTarget2
Value: !Ref MountTarget2
EFSMountTarget3:
Description: The EFS MountTarget3
Value: !Ref MountTarget3
EFSMountTarget4:
Description: The EFS MountTarget4
Value: !Ref MountTarget4
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create EFS system and Mount Targets for test VPC",
"Parameters": {
"VPC": {
"Type": "String",
"Description": "The VPC identity",
"Default": "vpc-ID"
},
"SubnetID1": {
"Description": "The subnet where to launch the service",
"Default": "subnet-ID",
"Type": "String"
},
"SubnetID2": {
"Type": "String",
"Description": "the subnet where to Launch the service",
"Default": "subnet-ID"
},
"SubnetID3": {
"Type": "String",
"Description": "The subnet where to launch the service",
"Default": "subnet-ID"
},
"SubnetID4": {
"Type": "String",
"Description": "the subnet where to Launch the service",
"Default": "subnet-ID"
}
},
"Resources": {
"EFSKMSKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "An example CMK with KMS",
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "efs-default-key1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:user/roger"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:user/roger"
},
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Sid": "Allow use of the key"
}
]
}
}
},
"EFSSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"Tags": [
{
"Key": "Environment",
"Value": "prod"
},
{
"Key": "Name",
"Value": "test-VPC-EFS-SG"
},
{
"Value": "ITEngineering",
"Key": "Project"
}
],
"GroupDescription": "security group for the prod EFS",
"GroupName": "test-EFS-SG",
"VpcId": "VPC",
"SecurityGroupIngress": [
{
"SourceSecurityGroupId": "sg-ID",
"Description": "servers to connect to efs",
"FromPort": 2049,
"IpProtocol": "tcp",
"ToPort": 2049
}
]
}
},
"EFSFileSystem01": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"BackupPolicy": {
"Status": "ENABLED"
},
"Encrypted": false,
"KmsKeyId": "EFSKMSKey",
"LifecyclePolicies": [
{
"TransitionToIA": "AFTER_60_DAYS"
}
],
"PerformanceMode": "generalPurpose",
"ThroughputMode": "bursting",
"FileSystemTags": [
{
"Key": "Environment",
"Value": "prod"
},
{
"Key": "Name",
"Value": "test-VPC-EFS"
},
{
"Key": "Project",
"Value": "ITEngineering"
}
]
}
},
"MountTarget1": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID1"
}
},
"MountTarget2": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID2"
}
},
"MountTarget3": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"SubnetId": "SubnetID3",
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
]
}
},
"MountTarget4": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"SubnetId": "SubnetID4",
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
]
}
}
},
"Outputs": {
"EFSMountTarget2": {
"Description": "The EFS MountTarget2",
"Value": "MountTarget2"
},
"EFSMountTarget3": {
"Description": "The EFS MountTarget3",
"Value": "MountTarget3"
},
"EFSMountTarget4": {
"Description": "The EFS MountTarget4",
"Value": "MountTarget4"
},
"EFS": {
"Description": "The created EFS",
"Value": "EFSFileSystem01"
},
"EFSMountTarget1": {
"Description": "The EFS MountTarget1",
"Value": "MountTarget1"
}
}
}