FP AVD-AWS-0035

[tzurielweisberg]

IDs

AVD-AWS-0035

Description

Customer is having an AVD-AWS-0035 in the Supply Chain, but as they insist, they don’t use EFS volume

Reproduction Steps

1.
2.
3.
...

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

.

Version

v0.42.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

It would be helpful to see a small snippet with which we can reproduce this issue.

FYI this rule isn't new as it has existed for several years.

[eswets]

Just hit this issue as well, i'll attempt to provide some context.

On ECS several different types of data volumes are supported. In our case, we use a bind mount in our task definition.

With this configuration, ECS uses ephemeral storage, which is by default encrypted when running on Fargate 1.4.0.

So, I guess at the very least the detection rule should more specifically target EFS volumes (e.g., efsVolumeConfiguration object should be present in a volume configuration block). Or perhaps the rule can be expanded (or another rule created) to also evaluate the configurations of the different volume types.