EFS Without Tags
- Query id: 08e39832-5e42-4304-98a0-aa5b43393162
- Query name: EFS Without Tags
- Platform: CloudFormation
- Severity: Low
- Category: Build Process
- CWE: Ongoing
- URL: Github
Description¶
Amazon Elastic Filesystem should have filesystem tags associated
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Create Elastic File System
Parameters:
Owner:
Type: String
Default: FirstName LastName
Project:
Type: String
Default: EFS Mount
VPC:
Type: AWS::EC2::VPC::Id
Subnet1:
Type: AWS::EC2::Subnet::Id
Resources:
FileSystem:
Type: AWS::EFS::FileSystem
Properties:
Encrypted: true
PerformanceMode: generalPurpose
MountTarget1:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref FileSystem
SubnetId: !Ref Subnet1
SecurityGroups:
- !Ref EfsSecurityGroup
EfsSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Instance to EFS Mount Access
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Ref AWS::StackName
- Key: Owner
Value: !Ref Owner
- Key: Project
Value: !Ref Project
Positive test num. 2 - json file
{
"Parameters": {
"Project": {
"Default": "EFS Mount",
"Type": "String"
},
"VPC": {
"Type": "AWS::EC2::VPC::Id"
},
"Subnet1": {
"Type": "AWS::EC2::Subnet::Id"
},
"Owner": {
"Type": "String",
"Default": "FirstName LastName"
}
},
"Resources": {
"EfsSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Instance to EFS Mount Access",
"VpcId": "VPC",
"Tags": [
{
"Key": "Name",
"Value": "AWS::StackName"
},
{
"Key": "Owner",
"Value": "Owner"
},
{
"Key": "Project",
"Value": "Project"
}
]
}
},
"FileSystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"Encrypted": true,
"PerformanceMode": "generalPurpose"
}
},
"MountTarget1": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "FileSystem",
"SubnetId": "Subnet1",
"SecurityGroups": [
"EfsSecurityGroup"
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create Elastic File System"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Create Elastic File System
Parameters:
Owner:
Type: String
Default: FirstName LastName
Project:
Type: String
Default: EFS Mount
VPC:
Type: AWS::EC2::VPC::Id
Subnet1:
Type: AWS::EC2::Subnet::Id
Resources:
FileSystem:
Type: AWS::EFS::FileSystem
Properties:
FileSystemTags:
- Key: Name
Value: !Ref AWS::StackName
- Key: Owner
Value: !Ref Owner
- Key: Project
Value: !Ref Project
MountTarget1:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref FileSystem
SubnetId: !Ref Subnet1
SecurityGroups:
- !Ref EfsSecurityGroup
EfsSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Instance to EFS Mount Access
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Ref AWS::StackName
- Key: Owner
Value: !Ref Owner
- Key: Project
Value: !Ref Project
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create Elastic File System",
"Parameters": {
"VPC": {
"Type": "AWS::EC2::VPC::Id"
},
"Subnet1": {
"Type": "AWS::EC2::Subnet::Id"
},
"Owner": {
"Type": "String",
"Default": "FirstName LastName"
},
"Project": {
"Type": "String",
"Default": "EFS Mount"
}
},
"Resources": {
"EfsSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "AWS::StackName"
},
{
"Key": "Owner",
"Value": "Owner"
},
{
"Key": "Project",
"Value": "Project"
}
],
"GroupDescription": "Instance to EFS Mount Access",
"VpcId": "VPC"
}
},
"FileSystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"FileSystemTags": [
{
"Key": "Name",
"Value": "AWS::StackName"
},
{
"Key": "Owner",
"Value": "Owner"
},
{
"Key": "Project",
"Value": "Project"
}
]
}
},
"MountTarget1": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "FileSystem",
"SubnetId": "Subnet1",
"SecurityGroups": [
"EfsSecurityGroup"
]
}
}
}
}