Plugin: Elastic File System Encryption Enabled (aquasecurity#180)

* Add a plugin that ensures EFS is configured to encrypt data at rest * Reformat code
kenazk · May 7, 2019 · 5f296dc · 5f296dc
1 parent 7a6dd21
commit 5f296dc
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 1 deletion.
diff --git a/exports.js b/exports.js
@@ -64,6 +64,8 @@ module.exports = {
         'crossVpcPublicPrivate'         : require(__dirname + '/plugins/aws/ec2/crossVpcPublicPrivate.js'),
         'ebsEncryptedSnapshots'         : require(__dirname + '/plugins/aws/ec2/ebsEncryptedSnapshots.js'),
 
+        'efsEncryptionEnabled'          : require(__dirname + '/plugins/aws/efs/efsEncryptionEnabled.js'),
+
         'insecureCiphers'               : require(__dirname + '/plugins/aws/elb/insecureCiphers.js'),
         'elbHttpsOnly'                  : require(__dirname + '/plugins/aws/elb/elbHttpsOnly.js'),
         'elbLoggingEnabled'             : require(__dirname + '/plugins/aws/elb/elbLoggingEnabled.js'),

diff --git a/helpers/aws/regions.js b/helpers/aws/regions.js
@@ -71,5 +71,7 @@ module.exports = {
 	directoryservice: ['us-east-1', 'us-east-2', 'us-west-2', 'us-west-1', 'ca-central-1',
 					   'sa-east-1', 'eu-west-1', 'eu-central-1', 'eu-west-2',
 					   'ap-southeast-1', 'ap-northeast-1', 'ap-southeast-2', 'ap-northeast-2',
-					   'ap-south-1']
+					   'ap-south-1'],
+	efs: [ 'eu-west-2', 'eu-west-1', 'ap-northeast-2', 'ap-northeast-1', 'ap-southeast-1',
+		'ap-southeast-2', 'eu-central-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']
 };
diff --git a/plugins/aws/efs/efsEncryptionEnabled.js b/plugins/aws/efs/efsEncryptionEnabled.js
@@ -0,0 +1,67 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'EFS Encryption Enabled',
+    category: 'EFS',
+    description: 'Ensures that EFS volumes are encrypted at rest',
+    more_info: 'EFS offers data at rest encryption using keys managed through AWS Key Management Service (KMS).',
+    link: 'https://aws.amazon.com/blogs/aws/new-encryption-at-rest-for-amazon-elastic-file-system-efs/',
+    recommended_action: 'Encryption of data at rest can only be enabled during file system creation. Encryption of data in transit is configured when mounting your file system. 1. Backup your data in not encrypted efs 2. Recreate the EFS and select \'Enable encryption of data at rest\'',
+    apis: ['EFS:describeFileSystems'],
+    compliance: {
+        hipaa: 'HIPAA requires that all data is encrypted, including data at rest. ' +
+            'EFS is a HIPAA-compliant solution that provides automated encryption ' +
+            'of EC2 storage data at rest.',
+        pci: 'PCI requires proper encryption of cardholder data at rest. EFS ' +
+            'encryption should be enabled for all volumes storing this type ' +
+            'of data.'
+    },
+
+    run: function (cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings.govcloud);
+
+        async.each(regions.efs, function (region, rcb) {
+            var describeFileSystems = helpers.addSource(cache, source,
+                ['efs', 'describeFileSystems', region]);
+
+            if (!describeFileSystems) return rcb();
+
+            if (describeFileSystems.err || !describeFileSystems.data) {
+                helpers.addResult(
+                    results, 3,
+                    'Unable to query for EFS file systems: ' + helpers.addError(describeFileSystems), region);
+                return rcb();
+            }
+
+            if(describeFileSystems.data.length === 0){
+                helpers.addResult(results, 0, 'No EFS file systems present', region);
+                return rcb();
+            }
+
+            var unencryptedEFS = [];
+
+            describeFileSystems.data.forEach(function(efs){
+                if (!efs.Encrypted){
+                    unencryptedEFS.push(efs.FileSystemId);
+                }
+            });
+
+            if (unencryptedEFS.length > 20) {
+                helpers.addResult(results, 2, 'More than 20 EFS systems are unencrypted', region);
+            } else if (unencryptedEFS.length) {
+                for (u in unencryptedEFS) {
+                    helpers.addResult(results, 2, 'EFS: ' + unencryptedEFS[u] + ' is unencrypted', region);
+                }
+            } else {
+                helpers.addResult(results, 0, 'No unencrypted file systems found', region);
+            }
+
+            rcb();
+        }, function () {
+            callback(null, results, source);
+        });
+    }
+};