ECS Task Definitions with EFS volumes should use in-transit encryption ECS task definitions that have volumes using EFS configuration should explicitly enable in transit encryption to prevent the risk of data loss due to interception.
Impact Intercepted traffic to and from EFS may lead to data loss
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Enable in transit encryption when using efs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Resources:
GoodExample:
Type: 'AWS::ECS::Cluster'
Properties:
ClusterName: MyCluster
ClusterSettings:
- Name: containerInsights
Value: enabled
GoodTask:
Type: AWS::ECS::TaskDefinition
Properties:
Family: "CFSec scan"
Cpu: 512
Memory: 1024
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
- EC2
ContainerDefinitions:
- Name: cfsec
Image: cfsec/cfsec:latest
MountPoints:
- SourceVolume: src
ContainerPath: /src
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: "cfsec-logs"
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: "cfsec"
Volumes:
- Name: jenkins-home
EFSVolumeConfiguration:
FilesystemId: "fs1"
TransitEncryption: ENABLED
Enable in transit encryption when using efs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
resource "aws_ecs_task_definition" "good_example" {
family = "service"
container_definitions = file ( "task-definitions/service.json" )
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system . fs . id
root_directory = "/opt/data"
transit_encryption = "ENABLED"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point . test . id
iam = "ENABLED"
}
}
}
}
Links