terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk

semgrep

Author

unknown

Download Count*

License

Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: aws-efs-filesystem-encrypted-with-cmk
    patterns:
      - pattern: |
          resource "aws_efs_file_system" $ANYTHING {
            ...
            encrypted  = true
            ...
          }
      - pattern-not-inside: |
          resource "aws_efs_file_system" $ANYTHING {
            ...
            encrypted  = true
            kms_key_id = ...
            ...
          }
    message: Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives
      you control over the encryption key in terms of access and rotation.
    metadata:
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A03:2017 - Sensitive Data Exposure
      cwe:
        - "CWE-320: CWE CATEGORY: Key Management Errors"
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: WARNING

Examples

aws-efs-filesystem-encrypted-with-cmk.tf

resource "aws_efs_file_system" "pass" {
  encrypted  = true
  kms_key_id = aws_kms_key.test.arn
}
# ruleid: aws-efs-filesystem-encrypted-with-cmk
resource "aws_efs_file_system" "fail" {
  encrypted  = true
 }

Short Link: https://sg.run/Kk07