EFS Without KMS

  • Query id: 6d087495-2a42-4735-abf7-02ef5660a7e6
  • Query name: EFS Without KMS
  • Platform: CloudFormation
  • Severity: Low
  • Category: Encryption
  • CWE: 311
  • URL: Github

Description

Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Parameters:
    VPC:
        Type: String
        Description: The VPC identity
        Default: vpc-ID
    SubnetID1:
        Type: String
        Description: The subnet where to launch the service
        Default: subnet-ID
    SubnetID2:
        Type: String
        Description: the subnet where to Launch the service
        Default: subnet-ID
    SubnetID3:
        Type: String
        Description: The subnet where to launch the service
        Default: subnet-ID
    SubnetID4:
        Type: String
        Description: the subnet where to Launch the service
        Default: subnet-ID
Resources:
    EFSKMSKey:
      Type: AWS::KMS::Key
      Properties:
        Description: "An example CMK with KMS"
        KeyPolicy:
          Version: "2012-10-17"
          Id: "efs-default-key1"
          Statement:
          -   Sid: "Allow administration of the key"
              Effect: "Allow"
              Principal:
                AWS: "arn:aws:iam::999999999999:user/roger"
              Action:
                - "kms:Create*"
                - "kms:Describe*"
                - "kms:Enable*"
                - "kms:List*"
                - "kms:Put*"
                - "kms:Update*"
                - "kms:Revoke*"
                - "kms:Disable*"
                - "kms:Get*"
                - "kms:Delete*"
                - "kms:ScheduleKeyDeletion"
                - "kms:CancelKeyDeletion"
              Resource: "*"
          -   Sid: "Allow use of the key"
              Effect: "Allow"
              Principal:
                AWS: "arn:aws:iam::999999999999:user/roger"
              Action:
                - "kms:DescribeKey"
                - "kms:Encrypt"
                - "kms:Decrypt"
                - "kms:ReEncrypt*"
                - "kms:GenerateDataKey"
                - "kms:GenerateDataKeyWithoutPlaintext"
              Resource: "*"
    EFSSecurityGroup:
        Type: "AWS::EC2::SecurityGroup"
        Properties:
            GroupDescription: "security group for the prod EFS"
            GroupName: "test-EFS-SG"
            VpcId: !Ref VPC
            SecurityGroupIngress:
              - SourceSecurityGroupId: sg-ID
                Description: "servers to connect to efs"
                FromPort: 2049
                IpProtocol: "tcp"
                ToPort: 2049
            Tags:
              - Key: Environment
                Value: prod
              - Key: Name
                Value: test-VPC-EFS-SG
              - Key: Project
                Value: ITEngineering
    EFSFileSystem01:
        Type: AWS::EFS::FileSystem
        Properties:
            BackupPolicy:
              Status: ENABLED
            Encrypted: false
            LifecyclePolicies:
              - TransitionToIA: AFTER_60_DAYS
            PerformanceMode: generalPurpose
            ThroughputMode: bursting
            FileSystemTags:
              - Key: Environment
                Value: prod
              - Key: Name
                Value: test-VPC-EFS
              - Key: Project
                Value: ITEngineering
    MountTarget1:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID1
    MountTarget2:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID2
    MountTarget3:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID3
    MountTarget4:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID4
Outputs:
  EFS:
    Description: The created EFS
    Value: !Ref EFSFileSystem01
  EFSMountTarget1:
    Description: The EFS MountTarget1
    Value: !Ref MountTarget1
  EFSMountTarget2:
    Description: The EFS MountTarget2
    Value: !Ref MountTarget2
  EFSMountTarget3:
    Description: The EFS MountTarget3
    Value: !Ref MountTarget3
  EFSMountTarget4:
    Description: The EFS MountTarget4
    Value: !Ref MountTarget4
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create EFS system and Mount Targets for test VPC",
  "Parameters": {
    "VPC": {
      "Type": "String",
      "Description": "The VPC identity",
      "Default": "vpc-ID"
    },
    "SubnetID1": {
      "Type": "String",
      "Description": "The subnet where to launch the service",
      "Default": "subnet-ID"
    },
    "SubnetID2": {
      "Default": "subnet-ID",
      "Type": "String",
      "Description": "the subnet where to Launch the service"
    },
    "SubnetID3": {
      "Description": "The subnet where to launch the service",
      "Default": "subnet-ID",
      "Type": "String"
    },
    "SubnetID4": {
      "Type": "String",
      "Description": "the subnet where to Launch the service",
      "Default": "subnet-ID"
    }
  },
  "Resources": {
    "MountTarget1": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID1"
      }
    },
    "MountTarget2": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID2"
      }
    },
    "MountTarget3": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID3"
      }
    },
    "MountTarget4": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID4"
      }
    },
    "EFSKMSKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "An example CMK with KMS",
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Id": "efs-default-key1",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::999999999999:user/roger"
              },
              "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
              ],
              "Resource": "*",
              "Sid": "Allow administration of the key"
            },
            {
              "Action": [
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
              ],
              "Resource": "*",
              "Sid": "Allow use of the key",
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::999999999999:user/roger"
              }
            }
          ]
        }
      }
    },
    "EFSSecurityGroup": {
      "Properties": {
        "SecurityGroupIngress": [
          {
            "SourceSecurityGroupId": "sg-ID",
            "Description": "servers to connect to efs",
            "FromPort": 2049,
            "IpProtocol": "tcp",
            "ToPort": 2049
          }
        ],
        "Tags": [
          {
            "Key": "Environment",
            "Value": "prod"
          },
          {
            "Value": "test-VPC-EFS-SG",
            "Key": "Name"
          },
          {
            "Key": "Project",
            "Value": "ITEngineering"
          }
        ],
        "GroupDescription": "security group for the prod EFS",
        "GroupName": "test-EFS-SG",
        "VpcId": "VPC"
      },
      "Type": "AWS::EC2::SecurityGroup"
    },
    "EFSFileSystem01": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "LifecyclePolicies": [
          {
            "TransitionToIA": "AFTER_60_DAYS"
          }
        ],
        "PerformanceMode": "generalPurpose",
        "ThroughputMode": "bursting",
        "FileSystemTags": [
          {
            "Key": "Environment",
            "Value": "prod"
          },
          {
            "Key": "Name",
            "Value": "test-VPC-EFS"
          },
          {
            "Key": "Project",
            "Value": "ITEngineering"
          }
        ],
        "BackupPolicy": {
          "Status": "ENABLED"
        },
        "Encrypted": false
      }
    }
  },
  "Outputs": {
    "EFSMountTarget2": {
      "Description": "The EFS MountTarget2",
      "Value": "MountTarget2"
    },
    "EFSMountTarget3": {
      "Description": "The EFS MountTarget3",
      "Value": "MountTarget3"
    },
    "EFSMountTarget4": {
      "Value": "MountTarget4",
      "Description": "The EFS MountTarget4"
    },
    "EFS": {
      "Description": "The created EFS",
      "Value": "EFSFileSystem01"
    },
    "EFSMountTarget1": {
      "Description": "The EFS MountTarget1",
      "Value": "MountTarget1"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Parameters:
    VPC:
        Type: String
        Description: The VPC identity
        Default: vpc-ID
    SubnetID1:
        Type: String
        Description: The subnet where to launch the service
        Default: subnet-ID
    SubnetID2:
        Type: String
        Description: the subnet where to Launch the service
        Default: subnet-ID
    SubnetID3:
        Type: String
        Description: The subnet where to launch the service
        Default: subnet-ID
    SubnetID4:
        Type: String
        Description: the subnet where to Launch the service
        Default: subnet-ID
Resources:
    EFSKMSKey:
      Type: AWS::KMS::Key
      Properties:
        Description: "An example CMK with KMS"
        KeyPolicy:
          Version: "2012-10-17"
          Id: "efs-default-key1"
          Statement:
          -   Sid: "Allow administration of the key"
              Effect: "Allow"
              Principal:
                AWS: "arn:aws:iam::999999999999:user/roger"
              Action:
                - "kms:Create*"
                - "kms:Describe*"
                - "kms:Enable*"
                - "kms:List*"
                - "kms:Put*"
                - "kms:Update*"
                - "kms:Revoke*"
                - "kms:Disable*"
                - "kms:Get*"
                - "kms:Delete*"
                - "kms:ScheduleKeyDeletion"
                - "kms:CancelKeyDeletion"
              Resource: "*"
          -   Sid: "Allow use of the key"
              Effect: "Allow"
              Principal:
                AWS: "arn:aws:iam::999999999999:user/roger"
              Action:
                - "kms:DescribeKey"
                - "kms:Encrypt"
                - "kms:Decrypt"
                - "kms:ReEncrypt*"
                - "kms:GenerateDataKey"
                - "kms:GenerateDataKeyWithoutPlaintext"
              Resource: "*"
    EFSSecurityGroup:
        Type: "AWS::EC2::SecurityGroup"
        Properties:
            GroupDescription: "security group for the prod EFS"
            GroupName: "test-EFS-SG"
            VpcId: !Ref VPC
            SecurityGroupIngress:
              - SourceSecurityGroupId: sg-ID
                Description: "servers to connect to efs"
                FromPort: 2049
                IpProtocol: "tcp"
                ToPort: 2049
            Tags:
              - Key: Environment
                Value: prod
              - Key: Name
                Value: test-VPC-EFS-SG
              - Key: Project
                Value: ITEngineering
    EFSFileSystem01:
        Type: AWS::EFS::FileSystem
        Properties:
            BackupPolicy:
              Status: ENABLED
            Encrypted: false
            KmsKeyId: !Ref EFSKMSKey
            LifecyclePolicies:
              - TransitionToIA: AFTER_60_DAYS
            PerformanceMode: generalPurpose
            ThroughputMode: bursting
            FileSystemTags:
              - Key: Environment
                Value: prod
              - Key: Name
                Value: test-VPC-EFS
              - Key: Project
                Value: ITEngineering
    MountTarget1:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID1
    MountTarget2:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID2
    MountTarget3:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID3
    MountTarget4:
        Type: AWS::EFS::MountTarget
        Properties:
            FileSystemId: !Ref EFSFileSystem01
            IpAddress: "*.*.*.*"
            SecurityGroups:
              - !Ref EFSSecurityGroup
            SubnetId: !Ref SubnetID4
Outputs:
  EFS:
    Description: The created EFS
    Value: !Ref EFSFileSystem01
  EFSMountTarget1:
    Description: The EFS MountTarget1
    Value: !Ref MountTarget1
  EFSMountTarget2:
    Description: The EFS MountTarget2
    Value: !Ref MountTarget2
  EFSMountTarget3:
    Description: The EFS MountTarget3
    Value: !Ref MountTarget3
  EFSMountTarget4:
    Description: The EFS MountTarget4
    Value: !Ref MountTarget4
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create EFS system and Mount Targets for test VPC",
  "Parameters": {
    "VPC": {
      "Type": "String",
      "Description": "The VPC identity",
      "Default": "vpc-ID"
    },
    "SubnetID1": {
      "Description": "The subnet where to launch the service",
      "Default": "subnet-ID",
      "Type": "String"
    },
    "SubnetID2": {
      "Type": "String",
      "Description": "the subnet where to Launch the service",
      "Default": "subnet-ID"
    },
    "SubnetID3": {
      "Type": "String",
      "Description": "The subnet where to launch the service",
      "Default": "subnet-ID"
    },
    "SubnetID4": {
      "Type": "String",
      "Description": "the subnet where to Launch the service",
      "Default": "subnet-ID"
    }
  },
  "Resources": {
    "EFSKMSKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "An example CMK with KMS",
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Id": "efs-default-key1",
          "Statement": [
            {
              "Sid": "Allow administration of the key",
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::999999999999:user/roger"
              },
              "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
              ],
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::999999999999:user/roger"
              },
              "Action": [
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
              ],
              "Resource": "*",
              "Sid": "Allow use of the key"
            }
          ]
        }
      }
    },
    "EFSSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "Tags": [
          {
            "Key": "Environment",
            "Value": "prod"
          },
          {
            "Key": "Name",
            "Value": "test-VPC-EFS-SG"
          },
          {
            "Value": "ITEngineering",
            "Key": "Project"
          }
        ],
        "GroupDescription": "security group for the prod EFS",
        "GroupName": "test-EFS-SG",
        "VpcId": "VPC",
        "SecurityGroupIngress": [
          {
            "SourceSecurityGroupId": "sg-ID",
            "Description": "servers to connect to efs",
            "FromPort": 2049,
            "IpProtocol": "tcp",
            "ToPort": 2049
          }
        ]
      }
    },
    "EFSFileSystem01": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "BackupPolicy": {
          "Status": "ENABLED"
        },
        "Encrypted": false,
        "KmsKeyId": "EFSKMSKey",
        "LifecyclePolicies": [
          {
            "TransitionToIA": "AFTER_60_DAYS"
          }
        ],
        "PerformanceMode": "generalPurpose",
        "ThroughputMode": "bursting",
        "FileSystemTags": [
          {
            "Key": "Environment",
            "Value": "prod"
          },
          {
            "Key": "Name",
            "Value": "test-VPC-EFS"
          },
          {
            "Key": "Project",
            "Value": "ITEngineering"
          }
        ]
      }
    },
    "MountTarget1": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID1"
      }
    },
    "MountTarget2": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ],
        "SubnetId": "SubnetID2"
      }
    },
    "MountTarget3": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "SubnetId": "SubnetID3",
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ]
      }
    },
    "MountTarget4": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "SubnetId": "SubnetID4",
        "FileSystemId": "EFSFileSystem01",
        "IpAddress": "*.*.*.*",
        "SecurityGroups": [
          "EFSSecurityGroup"
        ]
      }
    }
  },
  "Outputs": {
    "EFSMountTarget2": {
      "Description": "The EFS MountTarget2",
      "Value": "MountTarget2"
    },
    "EFSMountTarget3": {
      "Description": "The EFS MountTarget3",
      "Value": "MountTarget3"
    },
    "EFSMountTarget4": {
      "Description": "The EFS MountTarget4",
      "Value": "MountTarget4"
    },
    "EFS": {
      "Description": "The created EFS",
      "Value": "EFSFileSystem01"
    },
    "EFSMountTarget1": {
      "Description": "The EFS MountTarget1",
      "Value": "MountTarget1"
    }
  }
}