AWS securityhub documentation change
Summary
Added new control ECS.18 for in-transit encryption of EFS volumes and updated branding from 'Security Hub' to 'Security Hub CSPM' in multiple places.
Security assessment
The change adds documentation for a new security control (ECS.18) requiring in-transit encryption for EFS volumes, which protects against eavesdropping and man-in-the-middle attacks. However, there's no evidence of a specific security vulnerability being addressed - this is a proactive security best practice. The branding updates to 'Security Hub CSPM' are administrative changes with no security impact.
Diff
diff --git a/securityhub/latest/userguide/ecs-controls.md b/securityhub/latest/userguide/ecs-controls.md index b09df8b72..f5136216c 100644 --- a//securityhub/latest/userguide/ecs-controls.md +++ b//securityhub/latest/userguide/ecs-controls.md @@ -5 +5 @@ -[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions[ECS.2] ECS services should not have public IP addresses assigned to them automatically[ECS.3] ECS task definitions should not share the host's process namespace[ECS.4] ECS containers should run as non-privileged[ECS.5] ECS containers should be limited to read-only access to root filesystems[ECS.8] Secrets should not be passed as container environment variables[ECS.9] ECS task definitions should have a logging configuration[ECS.10] ECS Fargate services should run on the latest Fargate platform version[ECS.12] ECS clusters should use Container Insights[ECS.13] ECS services should be tagged[ECS.14] ECS clusters should be tagged[ECS.15] ECS task definitions should be tagged[ECS.16] ECS task sets should not automatically assign public IP addresses[ECS.17] ECS task definitions should not use host network mode +[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions[ECS.2] ECS services should not have public IP addresses assigned to them automatically[ECS.3] ECS task definitions should not share the host's process namespace[ECS.4] ECS containers should run as non-privileged[ECS.5] ECS containers should be limited to read-only access to root filesystems[ECS.8] Secrets should not be passed as container environment variables[ECS.9] ECS task definitions should have a logging configuration[ECS.10] ECS Fargate services should run on the latest Fargate platform version[ECS.12] ECS clusters should use Container Insights[ECS.13] ECS services should be tagged[ECS.14] ECS clusters should be tagged[ECS.15] ECS task definitions should be tagged[ECS.16] ECS task sets should not automatically assign public IP addresses[ECS.17] ECS task definitions should not use host network mode[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes @@ -7 +7 @@ -# Security Hub controls for Amazon ECS +# Security Hub CSPM controls for Amazon ECS @@ -9 +9 @@ -These Security Hub controls evaluate the Amazon Elastic Container Service (Amazon ECS) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). +These Security Hub CSPM controls evaluate the Amazon Elastic Container Service (Amazon ECS) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). @@ -54 +54 @@ When you update a task definition, it doesn't update running tasks that were lau -**AWS Config rule:** `ecs-service-assign-public-ip-disabled` (custom Security Hub rule) +**AWS Config rule:** `ecs-service-assign-public-ip-disabled` (custom Security Hub CSPM rule) @@ -251 +251 @@ To use Container Insights, see [Updating a service](https://docs.aws.amazon.com/ -**AWS Config rule:** `tagged-ecs-service` (custom Security Hub rule) +**AWS Config rule:** `tagged-ecs-service` (custom Security Hub CSPM rule) @@ -257 +257 @@ To use Container Insights, see [Updating a service](https://docs.aws.amazon.com/ -Parameter | Description | Type | Allowed custom values | Security Hub default value +Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value @@ -281 +281 @@ To add tags to an ECS service, see [Tagging your Amazon ECS resources](https://d -**AWS Config rule:** `tagged-ecs-cluster` (custom Security Hub rule) +**AWS Config rule:** `tagged-ecs-cluster` (custom Security Hub CSPM rule) @@ -287 +287 @@ To add tags to an ECS service, see [Tagging your Amazon ECS resources](https://d -Parameter | Description | Type | Allowed custom values | Security Hub default value +Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value @@ -311 +311 @@ To add tags to an ECS cluster, see [Tagging your Amazon ECS resources](https://d -**AWS Config rule:** `tagged-ecs-taskdefinition` (custom Security Hub rule) +**AWS Config rule:** `tagged-ecs-taskdefinition` (custom Security Hub CSPM rule) @@ -317 +317 @@ To add tags to an ECS cluster, see [Tagging your Amazon ECS resources](https://d -Parameter | Description | Type | Allowed custom values | Security Hub default value +Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value @@ -343 +343 @@ To add tags to an ECS task definition, see [Tagging your Amazon ECS resources](h -**AWS Config rule:** `ecs-taskset-assign-public-ip-disabled` (custom Security Hub rule) +**AWS Config rule:** `ecs-taskset-assign-public-ip-disabled` (custom Security Hub CSPM rule) @@ -382,0 +383,22 @@ If the Amazon ECS task definition was created by AWS Batch, see [Networking mode +## [ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes + +**Category:** Protect > Encryption of data-in-transit + +**Severity:** Medium + +**Resource type:** `AWS::ECS::TaskDefinition` + +**AWS Config rule:** `ecs-task-definition-efs-encryption-enabled` + +**Schedule type:** Change triggered + +**Parameters:** None + +This control checks whether the latest active revision of an Amazon ECS task definition uses in-transit encryption for EFS volumes. The control fails if the latest active revision of the ECS task definition has in-transit encryption disabled for EFS volumes. + +Amazon EFS volumes provide simple, scalable, and persistent shared file storage for use with your Amazon ECS tasks. Amazon EFS supports encryption of data in transit with Transport Layer Security (TLS). When encryption of data in transit is declared as a mount option for your EFS file system, Amazon EFS establishes a secure TLS connection with your EFS file system upon mounting your file system. + +### Remediation + +For information about enabling in-transit encryption for Amazon ECS Task Definition with EFS volumes, see [Step 5: Create a task definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/tutorial-efs-volumes.html#efs-task-def) in the _Amazon Elastic Container Service Developer Guide_. +