Description

ECS task definitions that have volumes using EFS configuration should explicitly enable in transit encryption to prevent the risk of data loss due to interception.

Resolution: Enable in-transit encryption when using EFS.

Examples

Example of incorrect code:

resource "aws_ecs_task_definition" "bad_example" {
	family                = "service"
	container_definitions = file("task-definitions/service.json")
  
	volume {
	  name = "service-storage"
  
	  efs_volume_configuration {
		file_system_id          = aws_efs_file_system.fs.id
		root_directory          = "/opt/data"
		authorization_config {
		  access_point_id = aws_efs_access_point.test.id
		  iam             = "ENABLED"
		}
	  }
	}
  }

Example of correct code:

resource "aws_ecs_task_definition" "good_example" {
	family                = "service"
	container_definitions = file("task-definitions/service.json")
  
	volume {
	  name = "service-storage"
  
	  efs_volume_configuration {
		file_system_id          = aws_efs_file_system.fs.id
		root_directory          = "/opt/data"
		transit_encryption      = "ENABLED"
		transit_encryption_port = 2999
		authorization_config {
		  access_point_id = aws_efs_access_point.test.id
		  iam             = "ENABLED"
		}
	  }
	}
  }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

aws-ecs-enable-in-transit-encryption.md

aws-ecs-enable-in-transit-encryption.md

Description

Examples

Files

aws-ecs-enable-in-transit-encryption.md

Latest commit

History

aws-ecs-enable-in-transit-encryption.md

File metadata and controls

Description

Examples