Skip to content

Prowler Documentation Site

EFS volumes in ECS task definitions do not have encryption in transit enabled

prowler-cloud/prowler

EFS volumes in ECS task definitions do not have encryption in transit enabled

Description

This check examines ECS tasks, and checks the definitions for EFS and if attached that the transit is encrypted.

Fix - Runtime

AWS Console

TBA

Fix - Buildtime

Terraform

**Resource: ** aws_ecs_task_definition
Argument: efs_volume_configuration/transit_encryption needs to ENABLED if there is an attached EFS.

resource "aws_ecs_task_definition" "example" {
  ...
  family                = "service"
  volume {
        ...
+     transit_encryption      = "ENABLED"
      }
    }
  }
  ...
}

CloudFormation

**Resource: ** AWS::ECS::TaskDefinition
Argument: Properties.Volumes.EFSVolumeConfiguration.TransitEncryption.EFSVolumeConfiguration needs to ENABLED if there is an attached EFS.

Resources:
  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ...
      Volumes: 
        - ...
          EFSVolumeConfiguration:
            ...
+           TransitEncryption: "ENABLED"