Risk Level: Low
Cloud Entity: Amazon Elastic File System (EFS)
CloudGuard Rule ID: D9.AWS.CRY.23
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

EFS should have encryptionKey.isCustomerManaged=true

REMEDIATION

From Portal
You can enable encryption of data at rest when creating an Amazon EFS file system. Following are the steps to encrypt a File System at Rest Using the AWS Console.

Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/.
Choose 'Create file system' to open the file system creation wizard.
Check 'Enable encryption of data at rest' checkbox.
Click on 'Customize encryption settings' and choose the customer-managed KMS Key from dropdown list to enable encryption using your own KMS CMK key.

Note: There is no functionality that allows you to encrypt existing EFS if the encryption wasn't enabled during the creation of Amazon EFS process. In order to encrypt an existing Amazon EFS, you need to create a new Amazon EFS and copy all the data from the existing Amazon EFS onto the new one with encryption enabled.

From TF

resource "aws_efs_file_system" "example" {
  creation_token = "default-efs"
  encrypted = true
  kms_key_id = aws_kms_key.default-kms.arn
}

From Command Line

aws efs create-file-system --creation-token VALUE --performance-mode VALUE --encrypted --kms-key-id KEY_ID

Note: --encrypted parameter will encrypt using default master key and --kms-key-id parameter will encrypt the snapshot with a customer-managed Customer CMK.

References

Amazon Elastic File System (EFS)

Amazon Elastic File System (Amazon EFS) provides simple, scalable, elastic file storage for use with AWS Cloud services and on-premises resources. It is easy to use and offers a simple interface that allows you to create and configure file systems quickly and easily. Amazon EFS is built to elastically scale on demand without disrupting applications, growing and shrinking automatically as you add and remove files, so your applications have the storage they need, when they need it.

Compliance Frameworks

AWS CIS Controls V 8
AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset