Control: EFS file systems should enforce SSL
Description
To help protect data in transit, ensure that your EFS file systems require requests to use Secure Socket Layer (SSL).
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.efs_file_system_enforces_ssl
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.efs_file_system_enforces_ssl --share
SQL
This control uses a named query:
with ssl_ok as ( select distinct name, arn, 'ok' as status from aws_efs_file_system, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as a, jsonb_array_elements_text( s -> 'Condition' -> 'Bool' -> 'aws:securetransport' ) as ssl where p = '*' and s ->> 'Effect' = 'Deny' and ssl :: bool = false)select f.arn as resource, case when ok.status = 'ok' then 'ok' else 'alarm' end as status, case when ok.status = 'ok' then f.title || ' policy enforces HTTPS.' else f.title || ' policy does not enforce HTTPS.' end as reason , f.region, f.account_idfrom aws_efs_file_system as f left join ssl_ok as ok on ok.name = f.name;