EFS Without KMS

  • Query id: bdecd6db-2600-47dd-a10c-72c97cf17ae9
  • Query name: EFS Without KMS
  • Platform: Crossplane
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
  name: example3
spec:
  forProvider:
    region: us-east-1
    encrypted: false
  providerConfigRef:
    name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: efs.aws.crossplane.io/v1alpha1
        kind: FileSystem
        metadata:
          name: example4
        spec:
          forProvider:
            region: us-east-1
            encrypted: false
          providerConfigRef:
            name: example

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
  name: example
spec:
  forProvider:
    region: us-east-1
    kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab
    encrypted: true
  providerConfigRef:
    name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: efs.aws.crossplane.io/v1alpha1
        kind: FileSystem
        metadata:
          name: example2
        spec:
          forProvider:
            region: us-east-1
            kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab
            encrypted: true
          providerConfigRef:
            name: example