EFS volume with disabled transit encryption
This product is not supported for your selected
Datadog site. (
).
Id: c1282e03-b285-4637-aee7-eefe3a7bb658
Cloud Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Encryption
Learn More
Description
Amazon ECS task definitions that mount Amazon EFS volumes must enable in-transit encryption to protect data transmitted between containers and the file system from interception or tampering.
In CloudFormation, the AWS::ECS::TaskDefinition resource’s Properties.volumes[*].efsVolumeConfiguration.TransitEncryption property must be defined and set to ENABLED. Resources missing this property or with TransitEncryption set to any value other than ENABLED will be flagged.
Secure example:
MyTaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: my-task
ContainerDefinitions: []
Volumes:
- Name: MyEfsVolume
EFSVolumeConfiguration:
FileSystemId: fs-0123456789abcdef0
TransitEncryption: ENABLED
Compliant Code Examples
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"ECSService": {
"Properties": {
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"LaunchType": "FARGATE",
"Role": {
"Ref": "ECSServiceRole"
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
},
"DesiredCount": 1
},
"Type": "AWS::ECS::Service",
"DependsOn": [
"Listener"
]
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Name": "container-using-efs",
"Image": "amazonlinux:2",
"EntryPoint": [
"sh",
"-c"
],
"Command": [
"ls -la /mount/efs"
],
"MountPoints": [
{
"SourceVolume": "myEfsVolume",
"ContainerPath": "/mount/efs",
"ReadOnly": true
}
]
}
],
"Volumes": [
{
"Name": "myEfsVolume",
"EFSVolumeConfiguration": {
"FileSystemId": "fs-1234",
"RootDirectory": "/path/to/my/data",
"TransitEncryptionPort": 10,
"TransitEncryption": "ENABLED"
}
}
]
}
}
}
}
Non-Compliant Code Examples
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"ECSService": {
"Properties": {
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"LaunchType": "FARGATE",
"Role": {
"Ref": "ECSServiceRole"
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
},
"DesiredCount": 1
},
"Type": "AWS::ECS::Service",
"DependsOn": [
"Listener"
]
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Name": "container-using-efs",
"Image": "amazonlinux:2",
"EntryPoint": [
"sh",
"-c"
],
"Command": [
"ls -la /mount/efs"
],
"MountPoints": [
{
"SourceVolume": "myEfsVolume",
"ContainerPath": "/mount/efs",
"ReadOnly": true
}
]
}
],
"Volumes": [
{
"Name": "myEfsVolume",
"EFSVolumeConfiguration": {
"FileSystemId": "fs-1234",
"RootDirectory": "/path/to/my/data",
"TransitEncryptionPort": 10
}
}
]
}
}
}
}
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"ECSService": {
"Properties": {
"LoadBalancers": [
{
"TargetGroupArn": {
"Ref": "TargetGroup"
},
"ContainerPort": 80,
"ContainerName": "sample-app"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"LaunchType": "FARGATE",
"Role": {
"Ref": "ECSServiceRole"
},
"TaskDefinition": {
"Ref": "ECSTaskDefinition"
},
"DesiredCount": 1
},
"Type": "AWS::ECS::Service",
"DependsOn": [
"Listener"
]
},
"taskdefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Name": "container-using-efs",
"Image": "amazonlinux:2",
"EntryPoint": [
"sh",
"-c"
],
"Command": [
"ls -la /mount/efs"
],
"MountPoints": [
{
"SourceVolume": "myEfsVolume",
"ContainerPath": "/mount/efs",
"ReadOnly": true
}
]
}
],
"Volumes": [
{
"Name": "myEfsVolume",
"EFSVolumeConfiguration": {
"fileSystemId": "fs-1234",
"rootDirectory": "/path/to/my/data",
"TransitEncryptionPort": 10,
"TransitEncryption": "DISABLED"
}
}
]
}
}
}
}
