For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-efs-volume-with-disabled-transit-encryption.md. A documentation index is available at /llms.txt.

EFS volume with disabled transit encryption

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-efs-volume-with-disabled-transit-encryption

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Encryption

Learn More

Description

Amazon ECS task definitions that mount Amazon EFS volumes must enable in-transit encryption to protect data transmitted between containers and the file system from interception or tampering.

In CloudFormation, the AWS::ECS::TaskDefinition resource’s Properties.volumes[*].efsVolumeConfiguration.TransitEncryption property must be defined and set to ENABLED. Resources missing this property or with TransitEncryption set to any value other than ENABLED will be flagged.

Secure example:

MyTaskDefinition:
  Type: AWS::ECS::TaskDefinition
  Properties:
    Family: my-task
    ContainerDefinitions: []
    Volumes:
      - Name: MyEfsVolume
        EFSVolumeConfiguration:
          FileSystemId: fs-0123456789abcdef0
          TransitEncryption: ENABLED

Compliant Code Examples

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "A sample template",
    "Resources": {
      "ECSService": {
        "Properties": {
          "LoadBalancers": [
            {
              "TargetGroupArn": {
                "Ref": "TargetGroup"
              },
              "ContainerPort": 80,
              "ContainerName": "sample-app"
            }
          ],
          "Cluster": {
            "Ref": "ECSCluster"
          },
          "LaunchType": "FARGATE",
          "Role": {
            "Ref": "ECSServiceRole"
          },
          "TaskDefinition": {
            "Ref": "ECSTaskDefinition"
          },
          "DesiredCount": 1
        },
        "Type": "AWS::ECS::Service",
        "DependsOn": [
          "Listener"
        ]
      },
      "taskdefinition": {
        "Type": "AWS::ECS::TaskDefinition",
        "Properties": {
            "ContainerDefinitions": [
                {
                    "Name": "container-using-efs",
                    "Image": "amazonlinux:2",
                    "EntryPoint": [
                        "sh",
                        "-c"
                    ],
                    "Command": [
                        "ls -la /mount/efs"
                    ],
                    "MountPoints": [
                        {
                            "SourceVolume": "myEfsVolume",
                            "ContainerPath": "/mount/efs",
                            "ReadOnly": true
                        }
                    ]
                }
            ],
            "Volumes": [
                {
                    "Name": "myEfsVolume",
                    "EFSVolumeConfiguration": {
                        "FileSystemId": "fs-1234",
                        "RootDirectory": "/path/to/my/data",
                        "TransitEncryptionPort": 10,
                        "TransitEncryption": "ENABLED"
                    }
                }
            ]
        }
      }
    }
  }

Non-Compliant Code Examples

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "A sample template",
    "Resources": {
      "ECSService": {
        "Properties": {
          "LoadBalancers": [
            {
              "TargetGroupArn": {
                "Ref": "TargetGroup"
              },
              "ContainerPort": 80,
              "ContainerName": "sample-app"
            }
          ],
          "Cluster": {
            "Ref": "ECSCluster"
          },
          "LaunchType": "FARGATE",
          "Role": {
            "Ref": "ECSServiceRole"
          },
          "TaskDefinition": {
            "Ref": "ECSTaskDefinition"
          },
          "DesiredCount": 1
        },
        "Type": "AWS::ECS::Service",
        "DependsOn": [
          "Listener"
        ]
      },
      "taskdefinition": {
        "Type": "AWS::ECS::TaskDefinition",
        "Properties": {
            
            "ContainerDefinitions": [
                {
                    "Name": "container-using-efs",
                    "Image": "amazonlinux:2",
                    "EntryPoint": [
                        "sh",
                        "-c"
                    ],
                    "Command": [
                        "ls -la /mount/efs"
                    ],
                    "MountPoints": [
                        {
                            "SourceVolume": "myEfsVolume",
                            "ContainerPath": "/mount/efs",
                            "ReadOnly": true
                        }
                    ]
                }
            ],
            "Volumes": [
                {
                    "Name": "myEfsVolume",
                    "EFSVolumeConfiguration": {
                        "fileSystemId": "fs-1234",
                        "rootDirectory": "/path/to/my/data",
                        "TransitEncryptionPort": 10,
                        "TransitEncryption": "DISABLED"
                    }
                }
            ]
        }
      }
    }
  }

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "A sample template",
    "Resources": {
      "ECSService": {
        "Properties": {
          "LoadBalancers": [
            {
              "TargetGroupArn": {
                "Ref": "TargetGroup"
              },
              "ContainerPort": 80,
              "ContainerName": "sample-app"
            }
          ],
          "Cluster": {
            "Ref": "ECSCluster"
          },
          "LaunchType": "FARGATE",
          "Role": {
            "Ref": "ECSServiceRole"
          },
          "TaskDefinition": {
            "Ref": "ECSTaskDefinition"
          },
          "DesiredCount": 1
        },
        "Type": "AWS::ECS::Service",
        "DependsOn": [
          "Listener"
        ]
      },
      "taskdefinition": {
        "Type": "AWS::ECS::TaskDefinition",
        "Properties": {
            "ContainerDefinitions": [
                {
                    "Name": "container-using-efs",
                    "Image": "amazonlinux:2",
                    "EntryPoint": [
                        "sh",
                        "-c"
                    ],
                    "Command": [
                        "ls -la /mount/efs"
                    ],
                    "MountPoints": [
                        {
                            "SourceVolume": "myEfsVolume",
                            "ContainerPath": "/mount/efs",
                            "ReadOnly": true
                        }
                    ]
                }
            ],
            "Volumes": [
                {
                    "Name": "myEfsVolume",
                    "EFSVolumeConfiguration": {
                        "FileSystemId": "fs-1234",
                        "RootDirectory": "/path/to/my/data",
                        "TransitEncryptionPort": 10
                    }
                }
            ]
        }
      }
    }
  }