BOM - AWS EFS

  • Query id: ef05a925-8568-4054-8ff1-f5ba82631c16
  • Query name: BOM - AWS EFS
  • Platform: CloudFormation
  • Severity: Trace
  • Category: Bill Of Materials
  • CWE: 532
  • URL: Github

Description

A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Resources:
    FileSystemResource:
      Type: 'AWS::EFS::FileSystem'
      Properties:
        AvailabilityZoneName: us-east-1a
        BackupPolicy:
          Status: ENABLED
        Encrypted: true
        LifecyclePolicies:
          - TransitionToIA: AFTER_30_DAYS
        FileSystemTags:
          - Key: Name
            Value: TestFileSystem
        FileSystemPolicy:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "elasticfilesystem:ClientMount"
              Principal:
                  AWS: 'arn:aws:iam::111122223333:role/EfsReadOnly'
        KmsKeyId: !GetAtt 
          - key
          - Arn
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "FileSystemResource": {
      "Properties": {
        "AvailabilityZoneName": "us-east-1a",
        "BackupPolicy": {
          "Status": "ENABLED"
        },
        "Encrypted": true,
        "FileSystemPolicy": {
          "Statement": [
            {
              "Action": [
                "elasticfilesystem:ClientMount"
              ],
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly"
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "FileSystemTags": [
          {
            "Key": "Name",
            "Value": "TestFileSystem"
          }
        ],
        "KmsKeyId": [
          "key",
          "Arn"
        ],
        "LifecyclePolicies": [
          {
            "TransitionToIA": "AFTER_30_DAYS"
          }
        ]
      },
      "Type": "AWS::EFS::FileSystem"
    }
  }
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Resources:
    FileSystemResource:
      Type: 'AWS::EFS::FileSystem'
      Properties:
        AvailabilityZoneName: us-east-1a
        BackupPolicy:
          Status: ENABLED
        Encrypted: false
        LifecyclePolicies:
          - TransitionToIA: AFTER_30_DAYS
        FileSystemTags:
          - Key: Name
            Value: TestFileSystem

Positive test num. 4 - json file 
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "FileSystemResource": {
      "Properties": {
        "AvailabilityZoneName": "us-east-1a",
        "BackupPolicy": {
          "Status": "ENABLED"
        },
        "Encrypted": false,
        "FileSystemTags": [
          {
            "Key": "Name",
            "Value": "TestFileSystem"
          }
        ],
        "KmsKeyId": [
          "key",
          "Arn"
        ],
        "LifecyclePolicies": [
          {
            "TransitionToIA": "AFTER_30_DAYS"
          }
        ]
      },
      "Type": "AWS::EFS::FileSystem"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Enabled": "true"
        }
      }
    }
  }
}