BOM - AWS EFS

• Query id: f53f16d6-46a9-4277-9fbe-617b1e24cdca
• Query name: BOM - AWS EFS
• Platform: Terraform
• Severity: Trace
• Category: Bill Of Materials
• CWE: 532
• URL: Github

Description

A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_efs_file_system" "positive1" {
  creation_token = "my-product"
  encrypted = true

  tags = {
    Name = "MyProduct"
  }
}

Positive test num. 2 - tf file

resource "aws_efs_file_system" "positive2" {
  creation_token = "my-product"
  encrypted = true

  tags = {
    Name = "MyProduct"
  }
}

resource "aws_efs_file_system_policy" "policy" {
  file_system_id = aws_efs_file_system.positive2.id

  bypass_policy_lockout_safety_check = true

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Resource": "${aws_efs_file_system.test.arn}",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}
POLICY
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

module "efs" {
  source = "cloudposse/efs/aws"
  version = "0.31.1"
  namespace       = "eg"
  stage           = "test"
  name            = "app"
  region          = "us-west-1"
  vpc_id          = var.vpc_id
  subnets         = var.private_subnets
  security_groups = [var.security_group_id]
  zone_id         = var.aws_route53_dns_zone_id
}