Detections
Analytics

Ensure Transit Encryption is enabled for Amazon Elastic Container Service (ECS) Task Definition using Elastic File System (EFS) Volumes

MEDIUM

Description

AWS ECS Task Definition has transit encryption disabled which may lead to sensitive data exposure.

Remediation

A task definition can have Transit Encryption configured for EFS volumes either when created or when creating a new revision, however if a new revision is created, even if the prior revision is de-registered there could still be services running with that insecure configuration. To properly remediate this scenario, a new task definition must be created with all new services generated from the new task definition. When creating an ECS task definition in the AWS console, follow the steps below. For more information, see the AWS documentation (below).

In AWS Console:

  1. Sign in to AWS Console and open the ECS console.
  2. Select Task Definitions from the navigation bar.
  3. Select Create a new task definition.
  4. After configuring the container information, select Next.
  5. Under Storage, select Add Storage and select EFS as the volume type.
  6. Select Advanced Configuration, then in the dialog box, check Transit encryption to enable it.
  7. Configure the remainder as needed and save.

In Terraform -

  1. In the aws_ecs_task_definition resource, set the efs_volume_configuration.transit_encryption field to ENABLED.

References:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition

Policy Details

Rule Reference ID: AC_AWS_0463
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_ecs_task_definition
Resource Category: Compute
Resource Type: Elastic Container Service (ECS)

Frameworks