Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Amazon EFS Encryption Rule

Overview of the rule requiring Amazon EFS to encrypt file data at rest using AWS KMS.

RuleAmazon EFS should be configured to encrypt file data at rest using AWS KMS
FrameworkAWS Foundational Security Best Practices
Severity
Medium

Rule Description

The rule requires that Amazon Elastic File System (EFS) is configured to encrypt file data at rest using AWS Key Management Service (KMS) for compliance with AWS Foundational Security Best Practices. Encrypting file data at rest ensures that even if the underlying storage media or physical device is compromised, the data remains protected.

Troubleshooting Steps

If EFS is not configured to encrypt file data at rest using AWS KMS, you can follow these troubleshooting steps:

  2. 1.

    Verify EFS Encryption Status: Confirm whether EFS encryption is enabled for the file system in question. You can check the encryption status by navigating to the Amazon EFS service console and selecting the desired file system. In the file system details page, under "File system details," you will find the encryption status.

  4. 2.

    Check KMS Key Policy: Ensure that the Key Management Service (KMS) key used for EFS encryption has a policy that allows EFS to use the key. You can navigate to the AWS Key Management Service console, select the desired key, and review the key policy. The policy should include the necessary permissions for EFS to use the key.

  6. 3.

    Check File System Policies: Review the file system policies associated with EFS. Make sure the file system policy allows encryption of file data at rest using KMS. You can find the file system policies under the "Access" section in the Amazon EFS service console.

Necessary Codes

In case you need to configure or update the encryption settings for EFS, you can use the following AWS CLI command:

aws efs update-file-system --file-system-id <file-system-id> --encrypted --kms-key-id <kms-key-id>

Replace 

<file-system-id>
with your EFS file system's ID and 
<kms-key-id>
with the ID of the KMS key you want to use for encryption.

Step-by-Step Guide for Remediation

  2. 1.
    Open the Amazon EFS service console.
  4. 2.
    Select the EFS file system that needs to be configured for encryption.
  6. 3.
    Under the "File system details" section, check the encryption status. If it shows "Not encrypted," proceed to the next step.
  8. 4.
    Open the AWS Key Management Service (KMS) console.
  10. 5.
    Review the available keys and select the appropriate KMS key that you want to use for EFS encryption.
  12. 6.
    Check the key policy associated with the selected KMS key. Ensure that it allows EFS to use the key.
  14. 7.
    Go back to the Amazon EFS console and select the file system you are working with.
  16. 8.
    Click on the "Access" tab to review the file system policies.
  18. 9.
    Ensure the file system policy allows encryption of file data at rest using KMS.
  20. 10.
    If the encryption settings are not configured correctly, open the AWS CLI or AWS CLI Tools (such as AWS CLI for Windows PowerShell) on your local machine.
  22. 11.
    Run the following command:
aws efs update-file-system --file-system-id <file-system-id> --encrypted --kms-key-id <kms-key-id>

Replace 

<file-system-id>
with your EFS file system's ID and 
<kms-key-id>
with the ID of the KMS key you want to use for encryption. 12. Once the command executes successfully, verify the encryption status in the Amazon EFS console. It should now show that the file system is encrypted. 13. Repeat the above steps for any other EFS file systems that need to be configured for encryption.

By following these steps, you can ensure that your Amazon EFS file systems are properly configured to encrypt file data at rest using AWS KMS, meeting the AWS Foundational Security Best Practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now