Ensure EFS volumes in ECS task definitions have encryption in transit enabled

Error: EFS volumes in ECS task definitions do not have encryption in transit enabled

Bridgecrew Policy ID: BC_AWS_GENERAL_39
Checkov Check ID: CKV_AWS_97
Severity: HIGH

EFS volumes in ECS task definitions do not have encryption in transit enabled

Description

This check examines ECS tasks, and checks the definitions for EFS and if attached that the transit is encrypted.

Fix - Runtime

AWS Console

TBA

Fix - Buildtime

Terraform

  • Resource: aws_ecs_task_definition
  • Argument: efs_volume_configuration/transit_encryption needs to ENABLED if there is an attached EFS.
resource "aws_ecs_task_definition" "example" {
  ...
  family                = "service"
  volume {
    	...
+     transit_encryption      = "ENABLED"
      }
    }
  }
  ...
}

CloudFormation

  • Resource: AWS::ECS::TaskDefinition
  • Argument: Properties.Volumes.EFSVolumeConfiguration.TransitEncryption.EFSVolumeConfiguration needs to ENABLED if there is an attached EFS.
Resources:
  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ...
      Volumes: 
        - ...
          EFSVolumeConfiguration:
            ...
+           TransitEncryption: "ENABLED"