Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions

ID

ecs_task_efs_volumes_encryption_disabled

Severity

high

Vendor

AWS

Resource

EFS

Tags

reachable

Description

An Amazon ECS cluster is a logical grouping of tasks or services. You can use clusters to isolate your applications.

A task definition is required to run Docker containers in Amazon ECS. Task definitions can specify any data volumes that are used with the containers in the task.

On the other hand, Amazon Elastic File System (Amazon EFS) provides simple, scalable file storage for use with your Amazon ECS tasks. You can use Amazon EFS file systems with Amazon ECS to access file system data across your fleet of Amazon ECS tasks

To provide an additional layer of data protection to secure your data from unauthorized access, it’s recommended to enable transit encryption for the EFS volumes.

Examples

CloudFormation

{
  "Resources": {
    "TaskDef": { (1)
      "Type": "AWS::ECS::TaskDefinition",
      "Properties": {
        "Volumes": [
          {
            "Name": "MyVolume",
            "EFSVolumeConfiguration": {
              "FilesystemId": "FilesystemId"
            }
          }
        ]
      }
    }
  }
}
1 TransitEncryption not set means encryption in transit is not enabled. 
Resources:
  TaskDef: (1)
    Type: AWS::ECS::TaskDefinition
    Properties:
      Volumes:
        - Name: MyVolume
          EFSVolumeConfiguration:
            FilesystemId: FilesystemId
1 TransitEncryption not set means encryption in transit is not enabled.

Terraform

resource "aws_ecs_task_definition" "test" {
  family                = "service"
  container_definitions = file("task-definitions/service.json")

  volume {
    name = "service-storage"

    efs_volume_configuration {
      file_system_id          = aws_efs_file_system.fs.id
      root_directory          = "/opt/data"
      transit_encryption      = "DISABLED" (1)
      transit_encryption_port = 2999
      authorization_config {
        access_point_id = aws_efs_access_point.test.id
        iam             = "ENABLED"
      }
    }
  }
}
1 Ensure transit encryption is not disabled
When the transit encryption attribute is not specified, the default option is disabled.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "TaskDef": {
      "Type": "AWS::ECS::TaskDefinition",
      "Properties": {
        "Volumes": [
          {
            "Name": "MyVolume",
            "EFSVolumeConfiguration": {
              "FilesystemId": "FilesystemId",
              "TransitEncryption": "ENABLED" (1)
            }
          }
        ]
      }
    }
  }
}
1 TransitEncryption set to ENABLED means encryption in transit is enabled. 
Resources:
  TaskDef:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Volumes:
        - Name: MyVolume
          EFSVolumeConfiguration:
            FilesystemId: FilesystemId
            TransitEncryption: ENABLED (1)
1 TransitEncryption set to ENABLED means encryption in transit is enabled.

Terraform

resource "aws_ecs_task_definition" "test" {
  family                = "service"
  container_definitions = file("task-definitions/service.json")

  volume {
    name = "service-storage"

    efs_volume_configuration {
      file_system_id          = aws_efs_file_system.fs.id
      root_directory          = "/opt/data"
      transit_encryption      = "ENABLED" (1)
      transit_encryption_port = 2999
      authorization_config {
        access_point_id = aws_efs_access_point.test.id
        iam             = "ENABLED"
      }
    }
  }
}
1 Ensure transit encryption is not enabled