EFS Not Encrypted

• Query id: 727c4fd4-d604-4df6-a179-7713d3c85e20
• Query name: EFS Not Encrypted
• Platform: Ansible
• Severity: High
• Category: Encryption
• CWE: 311
• URL: Github

Description

Elastic File System (EFS) must be encrypted
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

---
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: no
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]
- name: foo2
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: false
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]
- name: foo3
  community.aws.efs:
    state: present
    name: myTestEFS
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: yes
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]
- name: foo2
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: true
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]