EFS Volume With Disabled Transit Encryption
- Query id: 4c3267c9-b2ac-40bf-93f6-b610fb8c7b9f
- Query name: EFS Volume With Disabled Transit Encryption
- Platform: Terraform
- Severity: High
- Category: Encryption
- URL: Github
Description¶
Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'transit_encryption'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
provider "aws" {
region = "us-west-2"
}
resource "aws_efs_file_system" "example" {
creation_token = "example"
transit_encryption = "DISABLED"
encrypted = true
performance_mode = "generalPurpose"
throughput_mode = "bursting"
tags = {
Name = "example-efs"
}
}
resource "aws_efs_mount_target" "example" {
file_system_id = aws_efs_file_system.example.id
subnet_id = "subnet-0123456789abcdef0"
security_groups = ["sg-0123456789abcdef0"]
}
Postitive test num. 2 - tf file
provider "aws" {
region = "us-west-2"
}
resource "aws_efs_file_system" "example" {
creation_token = "example"
encrypted = true
performance_mode = "generalPurpose"
throughput_mode = "bursting"
tags = {
Name = "example-efs"
}
}
resource "aws_efs_mount_target" "example" {
file_system_id = aws_efs_file_system.example.id
subnet_id = "subnet-0123456789abcdef0"
security_groups = ["sg-0123456789abcdef0"]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-west-2"
}
resource "aws_efs_file_system" "example" {
creation_token = "example"
transit_encryption = "ENABLED"
encrypted = true
performance_mode = "generalPurpose"
throughput_mode = "bursting"
tags = {
Name = "example-efs"
}
}
resource "aws_efs_mount_target" "example" {
file_system_id = aws_efs_file_system.example.id
subnet_id = "subnet-0123456789abcdef0"
security_groups = ["sg-0123456789abcdef0"]
}