enable-in-transit-encryption
Default Severity: high
Explanation
ECS task definitions that have volumes using EFS configuration should explicitly enable in transit encryption to prevent the risk of data loss due to interception.
Possible Impact
Intercepted traffic to and from EFS may lead to data loss
Suggested Resolution
Enable in transit encryption when using efs
Insecure Example
The following example will fail the aws-ecs-enable-in-transit-encryption check.
resource "aws_ecs_task_definition" "bad_example" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.fs.id
root_directory = "/opt/data"
authorization_config {
access_point_id = aws_efs_access_point.test.id
iam = "ENABLED"
}
}
}
}
Secure Example
The following example will pass the aws-ecs-enable-in-transit-encryption check.
resource "aws_ecs_task_definition" "good_example" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.fs.id
root_directory = "/opt/data"
transit_encryption = "ENABLED"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point.test.id
iam = "ENABLED"
}
}
}
}