EFS Volume With Disabled Transit Encryption
- Query id: c1282e03-b285-4637-aee7-eefe3a7bb658
- Query name: EFS Volume With Disabled Transit Encryption
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- CWE: 312
- URL: Github
Description¶
Amazon EFS volume does not have encryption for data at transit enabled. To prevent such a scenario, enable the attribute 'TransitEncryption'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"ECSService": {
"Properties": {
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"LaunchType": "FARGATE",
"Role": {
"Ref": "ECSServiceRole"
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
},
"DesiredCount": 1
},
"Type": "AWS::ECS::Service",
"DependsOn": [
"Listener"
]
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Name": "container-using-efs",
"Image": "amazonlinux:2",
"EntryPoint": [
"sh",
"-c"
],
"Command": [
"ls -la /mount/efs"
],
"MountPoints": [
{
"SourceVolume": "myEfsVolume",
"ContainerPath": "/mount/efs",
"ReadOnly": true
}
]
}
],
"volumes": [
{
"name": "myEfsVolume",
"efsVolumeConfiguration": {
"fileSystemId": "fs-1234",
"rootDirectory": "/path/to/my/data",
"TransitEncryptionPort": 10,
"TransitEncryption": "DISABLED"
}
}
]
}
}
}
}
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"ECSService": {
"Properties": {
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"LaunchType": "FARGATE",
"Role": {
"Ref": "ECSServiceRole"
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
},
"DesiredCount": 1
},
"Type": "AWS::ECS::Service",
"DependsOn": [
"Listener"
]
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Name": "container-using-efs",
"Image": "amazonlinux:2",
"EntryPoint": [
"sh",
"-c"
],
"Command": [
"ls -la /mount/efs"
],
"MountPoints": [
{
"SourceVolume": "myEfsVolume",
"ContainerPath": "/mount/efs",
"ReadOnly": true
}
]
}
],
"volumes": [
{
"Name": "myEfsVolume",
"efsVolumeConfiguration": {
"FileSystemId": "fs-1234",
"RootDirectory": "/path/to/my/data",
"TransitEncryptionPort": 10
}
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"ECSService": {
"Properties": {
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"LaunchType": "FARGATE",
"Role": {
"Ref": "ECSServiceRole"
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
},
"DesiredCount": 1
},
"Type": "AWS::ECS::Service",
"DependsOn": [
"Listener"
]
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Name": "container-using-efs",
"Image": "amazonlinux:2",
"EntryPoint": [
"sh",
"-c"
],
"Command": [
"ls -la /mount/efs"
],
"MountPoints": [
{
"SourceVolume": "myEfsVolume",
"ContainerPath": "/mount/efs",
"ReadOnly": true
}
]
}
],
"Volumes": [
{
"Name": "myEfsVolume",
"EfsVolumeConfiguration": {
"FileSystemId": "fs-1234",
"RootDirectory": "/path/to/my/data",
"TransitEncryptionPort": 10,
"TransitEncryption": "ENABLED"
}
}
]
}
}
}
}