EFS Without KMS
- Query id: bdecd6db-2600-47dd-a10c-72c97cf17ae9
- Query name: EFS Without KMS
- Platform: Crossplane
- Severity: High
- Category: Encryption
- URL: Github
Description¶
Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
name: example3
spec:
forProvider:
region: us-east-1
encrypted: false
providerConfigRef:
name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
name: example4
spec:
forProvider:
region: us-east-1
encrypted: false
providerConfigRef:
name: example
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
name: example
spec:
forProvider:
region: us-east-1
kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab
encrypted: true
providerConfigRef:
name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
name: example2
spec:
forProvider:
region: us-east-1
kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab
encrypted: true
providerConfigRef:
name: example