ECS task definition volume not encrypted

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > ECS task definition volume not encrypted

Metadata

Id: terraform-aws-ecs-task-definition-volume-not-encrypted

Provider: AWS

Platform: Terraform

Severity: High

Category: Encryption

Learn More

Provider Reference

Description

Amazon ECS task definition with EFS volumes should have transit encryption enabled to protect sensitive data transmitted between the ECS host and the EFS server. When transit encryption is disabled, data can be intercepted and read by unauthorized entities during transmission, posing a significant security risk to your containerized applications. To secure your EFS volumes, ensure the transit_encryption parameter is set to ENABLED in the efs_volume_configuration block, as shown below:

efs_volume_configuration {
  file_system_id = aws_efs_file_system.fs.id
  transit_encryption = "ENABLED"
}

Compliant Code Examples

resource "aws_ecs_task_definition" "service" {
  family                = "service"
  container_definitions = file("task-definitions/service.json")

  volume {
    name = "service-storage"

    efs_volume_configuration {
      file_system_id          = aws_efs_file_system.fs.id
      root_directory          = "/opt/data"
      transit_encryption      = "ENABLED"
      transit_encryption_port = 2999
      authorization_config {
        access_point_id = aws_efs_access_point.test.id
        iam             = "ENABLED"
      }
    }
  }
}

Non-Compliant Code Examples

resource "aws_ecs_task_definition" "service" {
  family                = "service"
  container_definitions = file("task-definitions/service.json")

  volume {
    name = "service-storage"

    efs_volume_configuration {
      file_system_id          = aws_efs_file_system.fs.id
      root_directory          = "/opt/data"
      transit_encryption      = "DISABLED"
      transit_encryption_port = 2999
      authorization_config {
        access_point_id = aws_efs_access_point.test.id
        iam             = "ENABLED"
      }
    }
  }
}

resource "aws_ecs_task_definition" "service_2" {
  family                = "service"
  container_definitions = file("task-definitions/service.json")

  volume {
    name = "service-storage"

    efs_volume_configuration {
      file_system_id          = aws_efs_file_system.fs.id
      root_directory          = "/opt/data"
      transit_encryption_port = 2999
      authorization_config {
        access_point_id = aws_efs_access_point.test.id
        iam             = "ENABLED"
      }
    }
  }
}

resource "aws_ecs_task_definition" "service_2" {
  family                = "service"
  container_definitions = file("task-definitions/service.json")

  volume {
    name = "service-storage"
  }
}