EFS not encrypted

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 727c4fd4-d604-4df6-a179-7713d3c85e20

Cloud Provider: AWS

Platform: Ansible

Severity: High

Category: Encryption

Learn More

Description

EFS file systems must have encryption enabled to protect data at rest and prevent exposure of file system contents, snapshots, and backups if storage media is compromised. For Ansible tasks using the community.aws.efs or efs modules, the encrypt property must be defined and set to true. Resources that omit encrypt or have encrypt: false are flagged as misconfigured.

Secure example:

- name: Create encrypted EFS filesystem
  community.aws.efs:
    name: my-efs
    encrypt: true

Compliant Code Examples

- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: yes
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]
- name: foo2
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: true
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]

Non-Compliant Code Examples

---
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: no
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]
- name: foo2
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: false
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]
- name: foo3
  community.aws.efs:
    state: present
    name: myTestEFS
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]