EFS Not Encrypted

  • Query id: 72840c35-3876-48be-900d-f21b2f0c2ea1
  • Query name: EFS Not Encrypted
  • Platform: Crossplane
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

Elastic File System (EFS) must be encrypted
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
  name: example3
spec:
  forProvider:
    region: us-east-1
    encrypted: false
  providerConfigRef:
    name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: efs.aws.crossplane.io/v1alpha1
        kind: FileSystem
        metadata:
          name: example4
        spec:
          forProvider:
            region: us-east-1
            encrypted: false
          providerConfigRef:
            name: example
Positive test num. 2 - yaml file
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
  name: example5
spec:
  forProvider:
    region: us-east-1
  providerConfigRef:
    name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: efs.aws.crossplane.io/v1alpha1
        kind: FileSystem
        metadata:
          name: example6
        spec:
          forProvider:
            region: us-east-1
          providerConfigRef:
            name: example

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: efs.aws.crossplane.io/v1alpha1
kind: FileSystem
metadata:
  name: example
spec:
  forProvider:
    region: us-east-1
    encrypted: true
  providerConfigRef:
    name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - name: sample-ec2
      base:
        apiVersion: efs.aws.crossplane.io/v1alpha1
        kind: FileSystem
        metadata:
          name: example2
        spec:
          forProvider:
            region: us-east-1
            encrypted: true
          providerConfigRef:
            name: example