aws-resource-unencrypted-in-transit¶
Ensure that data going to and from the managed service is securely encrypted at transit
The rule applies to the following resources, which each have slightly different ways of configuration transport security
Supported services¶
DocsDB¶
Secure examples¶
resource "aws_docdb_cluster_parameter_group" "example" {
family = "docdb3.6"
name = "example"
description = "docdb cluster parameter group"
parameter {
name = "tls"
value = "enabled"
}
}
Type: "AWS::DocDB::DBClusterParameterGroup"
Properties:
Description: "description"
Family: "docdb3.6"
Name: "sampleParameterGroup"
Parameters:
audit_logs: "disabled"
tls: "enabled"
ttl_monitor: "enabled"
Tags:
-
Key: "String"
Value: "String"
More information¶
- Terraform docs on encryption in transit for DocsDB
- CloudFormation docs on encryption in transit for DocsDB
ECS¶
Secure examples¶
AWSTemplateFormatVersion: "2010-09-09"
Resources:
Resource0:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name: "busybox"
Image: "busybox"
Cpu: 256
EntryPoint:
- "sh"
- "-c"
Memory: 512
Command:
- "/bin/sh -c \"while true; do /bin/date > /var/www/my-vol/date; sleep 1; done\""
Essential: true
Volumes:
- Name: MyVolume
EFSVolumeConfiguration:
FilesystemId: FilesystemId
TransitEncryption: "ENABLED"
More information¶
- Terraform docs on encryption in transit for ECS
- CloudFormation docs on encryption in transit for ECS
resource "aws_ecs_task_definition" "service" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
efs_volume_configuration {
file_system_id = aws_efs_file_system.fs.id
root_directory = "/opt/data"
transit_encryption = "ENABLED"
transit_encryption_port = 2999
authorization_config {
access_point_id = aws_efs_access_point.test.id
iam = "ENABLED"
}
}
}
}
Elasticache¶
Secure examples¶
AWSTemplateFormatVersion: 2010-09-09
Resources:
ReplicationGroup:
Type: 'AWS::ElastiCache::ReplicationGroup'
Properties:
TransitEncryptionEnabled: True
More information¶
- Terraform docs on encryption in transit for Elasticache
- CloudFormation docs on encryption in transit for Elasticache
resource "aws_elasticache_replication_group" "example" {
automatic_failover_enabled = true
availability_zones = [
"us-west-2a",
"us-west-2b"
]
replication_group_id = "tf-rep-group-1"
replication_group_description = "test description"
node_type = "cache.m4.large"
number_cache_clusters = 2
parameter_group_name = "default.redis3.2"
port = 6379
at_rest_encryption_enabled = true
transit_encryption_enabled = true
auth_token = var.auth_token
}
Elasticsearch¶
Secure examples¶
resource "aws_docdb_cluster_parameter_group" "example" {
family = "docdb3.6"
name = "example"
description = "docdb cluster parameter group"
parameter {
name = "tls"
value = "enabled"
}
}
AWSTemplateFormatVersion: 2010-09-09
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: "somedomain.com"
NodeToNodeEncryptionOptions:
Enabled: True
More information¶
- Terraform docs on encryption in transit for Elasticsearch
- CloudFormation docs on encryption in transit for Elasticsearch
MSK¶
Secure examples¶
resource "aws_msk_cluster" "encrypted_msk" {
cluster_name = "some-cluster"
kafka_version = "1.0"
number_of_broker_nodes = 2
encryption_info {
encryption_in_transit {
in_cluster = true
client_broker = "TLS"
}
}
}
More information¶
Redshift¶
Secure examples¶
resource "aws_redshift_parameter_group" "pass" {
name = "redshift-demo"
family = "redshift-1.0"
parameter {
name = "require_ssl"
value = "true"
}
}