EFS Without KMS

  • Query id: 25d251f3-f348-4f95-845c-1090e41a615c
  • Query name: EFS Without KMS
  • Platform: Terraform
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_efs_file_system" "positive1" {
  creation_token = "my-product"
  encrypted = true

  tags = {
    Name = "MyProduct"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_efs_file_system" "negative1" {
  creation_token = "my-product"
  encrypted = true
  kms_key_id = "1234abcd-12ab-34cd-56ef-1234567890ab"

  tags = {
    Name = "MyProduct"
  }
}