ECS.18: ECS task defs should encrypt EFS volumes in transit

What does AWS Security Hub ECS.18 check?

ECS.18 evaluates the latest active task-definition revision and looks at the efsVolumeConfiguration of every EFS volume. It passes when transitEncryption is set to ENABLED and fails when it is disabled or omitted, which leaves NFS traffic to EFS in plaintext.

Why does ECS.18 matter?

NFS traffic between a task and an EFS file system carries the actual contents of the files the app reads and writes — uploads, configuration, cached secrets, user data. Without TLS, anyone who can observe the VPC network path can read or tamper with it: a compromised sidecar, an overly broad security group, or a misconfigured mirroring session all sit on that path. Encryption in transit is also a hard requirement in most compliance regimes.

How do I fix ECS.18?

1. Set transitEncryption to ENABLED in each EFS volume's efsVolumeConfiguration.
2. Register the new revision and redeploy the service.
3. Confirm the EFS mount targets' security groups still permit the TLS-wrapped NFS connection.

# 1. The canonical statement Security Hub S3.5 looks for (merge into the existing policy).
cat <<'EOF'
{
  "Sid": "DenyInsecureTransport",
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::acme-prod-logs",
    "arn:aws:s3:::acme-prod-logs/*"
  ],
  "Condition": { "Bool": { "aws:SecureTransport": "false" } }
}
EOF
aws s3api put-bucket-policy --bucket acme-prod-logs --policy file://acme-prod-logs-policy.json

# 2. Swap a load balancer listener onto a recommended TLS policy (closes ELB.17).
aws elbv2 modify-listener \
  --listener-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:listener/app/web-prod/abc/def \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06