EFS Without Tags

  • Query id: 08e39832-5e42-4304-98a0-aa5b43393162
  • Query name: EFS Without Tags
  • Platform: CloudFormation
  • Severity: Low
  • Category: Build Process
  • CWE: Ongoing
  • URL: Github

Description

Amazon Elastic Filesystem should have filesystem tags associated
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Create Elastic File System
Parameters:
  Owner:
    Type: String
    Default: FirstName LastName
  Project:
    Type: String
    Default: EFS Mount
  VPC:
    Type: AWS::EC2::VPC::Id
  Subnet1:
    Type: AWS::EC2::Subnet::Id
Resources:
  FileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      Encrypted: true
      PerformanceMode: generalPurpose
  MountTarget1:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref FileSystem
      SubnetId: !Ref Subnet1
      SecurityGroups:
      - !Ref EfsSecurityGroup
  EfsSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Instance to EFS Mount Access
      VpcId: !Ref VPC
      Tags:
      - Key: Name
        Value: !Ref AWS::StackName
      - Key: Owner
        Value: !Ref Owner
      - Key: Project
        Value: !Ref Project
Positive test num. 2 - json file
{
  "Parameters": {
    "Project": {
      "Default": "EFS Mount",
      "Type": "String"
    },
    "VPC": {
      "Type": "AWS::EC2::VPC::Id"
    },
    "Subnet1": {
      "Type": "AWS::EC2::Subnet::Id"
    },
    "Owner": {
      "Type": "String",
      "Default": "FirstName LastName"
    }
  },
  "Resources": {
    "EfsSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Instance to EFS Mount Access",
        "VpcId": "VPC",
        "Tags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          },
          {
            "Key": "Owner",
            "Value": "Owner"
          },
          {
            "Key": "Project",
            "Value": "Project"
          }
        ]
      }
    },
    "FileSystem": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "Encrypted": true,
        "PerformanceMode": "generalPurpose"
      }
    },
    "MountTarget1": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "FileSystem",
        "SubnetId": "Subnet1",
        "SecurityGroups": [
          "EfsSecurityGroup"
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create Elastic File System"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Create Elastic File System
Parameters:
  Owner:
    Type: String
    Default: FirstName LastName
  Project:
    Type: String
    Default: EFS Mount
  VPC:
    Type: AWS::EC2::VPC::Id
  Subnet1:
    Type: AWS::EC2::Subnet::Id
Resources:
  FileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      FileSystemTags:
      - Key: Name
        Value: !Ref AWS::StackName
      - Key: Owner
        Value: !Ref Owner
      - Key: Project
        Value: !Ref Project
  MountTarget1:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref FileSystem
      SubnetId: !Ref Subnet1
      SecurityGroups:
      - !Ref EfsSecurityGroup
  EfsSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Instance to EFS Mount Access
      VpcId: !Ref VPC
      Tags:
      - Key: Name
        Value: !Ref AWS::StackName
      - Key: Owner
        Value: !Ref Owner
      - Key: Project
        Value: !Ref Project
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create Elastic File System",
  "Parameters": {
    "VPC": {
      "Type": "AWS::EC2::VPC::Id"
    },
    "Subnet1": {
      "Type": "AWS::EC2::Subnet::Id"
    },
    "Owner": {
      "Type": "String",
      "Default": "FirstName LastName"
    },
    "Project": {
      "Type": "String",
      "Default": "EFS Mount"
    }
  },
  "Resources": {
    "EfsSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          },
          {
            "Key": "Owner",
            "Value": "Owner"
          },
          {
            "Key": "Project",
            "Value": "Project"
          }
        ],
        "GroupDescription": "Instance to EFS Mount Access",
        "VpcId": "VPC"
      }
    },
    "FileSystem": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "FileSystemTags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          },
          {
            "Key": "Owner",
            "Value": "Owner"
          },
          {
            "Key": "Project",
            "Value": "Project"
          }
        ]
      }
    },
    "MountTarget1": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "FileSystem",
        "SubnetId": "Subnet1",
        "SecurityGroups": [
          "EfsSecurityGroup"
        ]
      }
    }
  }
}