ECS Task Definitions with EFS volumes should use in-transit encryption ECS task definitions that have volumes using EFS configuration should explicitly enable in transit encryption to prevent the risk of data loss due to interception.
Impact
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Enable in transit encryption when using efs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Resources :
GoodExample :
Type : AWS::ECS::Cluster
Properties :
ClusterName : MyCluster
ClusterSettings :
- Name : containerInsights
Value : enabled
GoodTask :
Type : AWS::ECS::TaskDefinition
Properties :
ContainerDefinitions :
- Image : cfsec/cfsec:latest
LogConfiguration :
LogDriver : awslogs
Options :
awslogs-group : cfsec-logs
awslogs-region : !Ref AWS::Region
awslogs-stream-prefix : cfsec
MountPoints :
- ContainerPath : /src
SourceVolume : src
Name : cfsec
Cpu : 512
Family : CFSec scan
Memory : 1024
NetworkMode : awsvpc
RequiresCompatibilities :
- FARGATE
- EC2
Volumes :
- EFSVolumeConfiguration :
FilesystemId : fs1
TransitEncryption : ENABLED
Name : jenkins-home
Enable in transit encryption when using efs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
resource "aws_ecs_task_definition" "good_example" {
family = "service"
container_definitions = file ( "task-definitions/service.json" )
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system . fs . id
root_directory = "/opt/data"
transit_encryption = "ENABLED"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point . test . id
iam = "ENABLED"
}
}
}
}
Links