Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys

When you define and use your own KMS CMK customer-managed keys to protect the EFS file systems data and metadata, you gain full control over who can use these keys to access the data (including the system metadata). The AWS KMS service allows you to create, rotate, disable and audit CMK encryption keys for your file systems.

Risk Level: Low
Cloud Entity: Amazon Elastic File System (EFS)
CloudGuard Rule ID: D9.AWS.CRY.23
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

EFS should have encryptionKey.isCustomerManaged=true

REMEDIATION

From Portal
You can enable encryption of data at rest when creating an Amazon EFS file system. Following are the steps to encrypt a File System at Rest Using the AWS Console.

  1. Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/.
  2. Choose 'Create file system' to open the file system creation wizard.
  3. Check 'Enable encryption of data at rest' checkbox.
  4. Click on 'Customize encryption settings' and choose the customer-managed KMS Key from dropdown list to enable encryption using your own KMS CMK key.

Note: There is no functionality that allows you to encrypt existing EFS if the encryption wasn't enabled during the creation of Amazon EFS process. In order to encrypt an existing Amazon EFS, you need to create a new Amazon EFS and copy all the data from the existing Amazon EFS onto the new one with encryption enabled.

From TF

resource "aws_efs_file_system" "example"{
	creation_token = "default-efs"
	+ encrypted = true
	+ kms_key_id = aws_kms_key.default-kms.arn
}

From Command Line

aws efs create-file-system --creation-token VALUE --performance-mode VALUE --encrypted --kms-key-id KEY_ID

Note: --encrypted parameter will encrypt using default master key and --kms-key-id parameter will encrypt the snapshot with a customer-managed Customer CMK.

References

  1. https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system
  3. https://docs.aws.amazon.com/whitepapers/latest/efs-encrypted-file-systems/creating-an-encrypted-file-system-using-the-aws-cli.html
  4. https://docs.aws.amazon.com/cli/latest/reference/efs/create-file-system.html

Amazon Elastic File System (EFS)

Amazon Elastic File System (Amazon EFS) provides simple, scalable, elastic file storage for use with AWS Cloud services and on-premises resources. It is easy to use and offers a simple interface that allows you to create and configure file systems quickly and easily. Amazon EFS is built to elastically scale on demand without disrupting applications, growing and shrinking automatically as you add and remove files, so your applications have the storage they need, when they need it.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset