EFS Volume With Disabled Transit Encryption
- Query id: 4d46ff3b-7160-41d1-a310-71d6d370b08f
- Query name: EFS Volume With Disabled Transit Encryption
- Platform: Terraform
- Severity: Medium
- Category: Encryption
- CWE: 319
- Risk score: 7.1
- URL: Github
Description¶
AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_ecs_task_definition" "service" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.fs.id
root_directory = "/opt/data"
transit_encryption = "DISABLED"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point.test.id
iam = "ENABLED"
}
}
}
}
Positive test num. 2 - tf file
resource "aws_ecs_task_definition" "service_2" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.fs.id
root_directory = "/opt/data"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point.test.id
iam = "ENABLED"
}
}
}
}
Positive test num. 3 - tf file
resource "aws_ecs_task_definition" "service_2" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_ecs_task_definition" "service" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.fs.id
root_directory = "/opt/data"
transit_encryption = "ENABLED"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point.test.id
iam = "ENABLED"
}
}
}
}