Ensure EFS volumes in ECS task definitions have encryption in transit enabled
Error: EFS volumes in ECS task definitions do not have encryption in transit enabled
Bridgecrew Policy ID: BC_AWS_GENERAL_39
Checkov Check ID: CKV_AWS_97
Severity: HIGH
EFS volumes in ECS task definitions do not have encryption in transit enabled
Description
This check examines ECS tasks, and checks the definitions for EFS and if attached that the transit is encrypted.
Fix - Runtime
AWS Console
TBA
Fix - Buildtime
Terraform
- Resource: aws_ecs_task_definition
- Argument: efs_volume_configuration/transit_encryption needs to ENABLED if there is an attached EFS.
resource "aws_ecs_task_definition" "example" {
...
family = "service"
volume {
...
+ transit_encryption = "ENABLED"
}
}
}
...
}
CloudFormation
- Resource: AWS::ECS::TaskDefinition
- Argument: Properties.Volumes.EFSVolumeConfiguration.TransitEncryption.EFSVolumeConfiguration needs to ENABLED if there is an attached EFS.
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
...
Volumes:
- ...
EFSVolumeConfiguration:
...
+ TransitEncryption: "ENABLED"
Updated 10 months ago