Checkmarx
bug(scan): ECS Task Definition Volume Not Encrypted - Is encrypted
- Describe in details what the problem is
A critical vulnerability is being raised telling us 'AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted' - however the data IS encrypted
- Attach a log file with relevant data preferably in DEBUG level (
--log-level=DEBUG)
SAST report shows the exact error is AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted Its specifically referring to the attribute: transit_encryption = "ENABLED" This attribute IS enabled
- Attach the scanned sample files, anonymize the data if the original file cannot be provided
- When attaching files to the issue make sure they are properly formatted
Expected Behavior
For this not to be reported as a vulnerability
Actual Behavior
reported as a vulnerability
Steps to Reproduce the Problem
Specifications
(N/A if not applicable)
- Version:
- Platform: GitLab
- Subsystem: CI/CD Pipeline
I can´t test myself because you did not provide a sample but this issue might relate to this PR - https://github.com/Checkmarx/kics/pull/7586 . Thank you for raising this issue.
There is another problem with this control interpretation as a false positive for FARGATE.
ECS and Fargate are not architecturally the same. I'm seeing this vulnerability finding with Fargate where the volume { } statement is used; however, fargate uses ephemeral local storage by default and does not traverse the network, which means this is a false positive when merely scanning on volume {} blocks.
I suggest this is patched to ignore the volume {} block finding if the aws_ecs_task_definition also contains requires_compatibilities = ["FARGATE"]
References: 1 - Fargate task ephemeral storage for Amazon ECS - Amazon Elastic Container Service 2 - AWS Fargate for Amazon ECS - Amazon Elastic Container Service
