EFS Without KMS

• Query id: bd77554e-f138-40c5-91b2-2a09f878608e
• Query name: EFS Without KMS
• Platform: Ansible
• Severity: Low
• Category: Encryption
• CWE: 311
• URL: Github

Description

Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

---
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: no
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: yes
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]
    kms_key_id: "some-key-id"