Rule: EFS File Systems Encrypted with CMK
Ensure EFS file systems are encrypted with Customer Managed Keys (CMK) for improved security.
| Rule | EFS file systems should be encrypted with CMK |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
EFS File Systems Encryption with CMK for CISA-Cyber Essentials
Description:
Encryption is a crucial security measure to protect sensitive data from unauthorized access. In the context of Amazon Elastic File System (EFS), encrypting the file systems using AWS Key Management Service's (KMS) Customer Master Key (CMK) enhances data security, ensuring compliance with the CISA-Cyber Essentials framework.
Troubleshooting Steps (if applicable):
If you encounter issues while encrypting EFS file systems with CMK, follow these troubleshooting steps:
- 1.Verify CMK Permissions: Ensure that the IAM role or user associated with the EFS file system has sufficient permissions to access and use the specified CMK.
- 2.Check EFS Permissions: Verify that the IAM role or user has the necessary permissions to create and manage EFS file systems and encrypt them with CMK.
- 3.Validate KMS Configuration: Make sure that the KMS key policy allows the IAM role or user to use the CMK for encryption purposes.
- 4.Ensure Correct Key ID: Double-check that you are using the correct CMK Key ID while configuring the EFS file system encryption.
Necessary Codes (if applicable):
Here is an example of the code snippet to encrypt an EFS file system with a CMK:
aws efs create-file-system --performance-mode generalPurpose --kms-key-id <CMK_Key_ID>
Step-by-Step Guide for Remediation:
- 1.
Identify the CMK: Determine the Customer Master Key (CMK) to be used for encrypting the EFS file system. If you don't have a CMK, you can create one using the AWS Key Management Service (KMS).
- 2.
Grant Permissions: Ensure that the IAM role or user associated with the EFS file system has the necessary permissions to access and use the CMK. This can be done by updating the Key Policy associated with the CMK.
- 3.
Encrypt the EFS File System: Use the AWS CLI or AWS Management Console to create a new EFS file system, specifying the CMK to be used for encryption. If using the AWS CLI, you can execute the following command:
aws efs create-file-system --performance-mode generalPurpose --kms-key-id <CMK_Key_ID>Replace
with the actual Key ID of the CMK to be used.<CMK_Key_ID> - 4.
Verify Encryption: Once the EFS file system is created, you can verify if it is encrypted with the desired CMK. You can check the Encryption key ID associated with the file system using the AWS CLI:
aws efs describe-file-systems --file-system-id <EFS_FileSystem_ID>Replace
with the actual File System ID of your EFS.<EFS_FileSystem_ID>Ensure that the "KmsKeyId" property matches the Key ID of the CMK you specified during the creation of the EFS file system.
Conclusion:
Encrypting EFS file systems with CMK provides an additional layer of security and helps fulfill the encryption requirements outlined in the CISA-Cyber Essentials framework. By following the provided troubleshooting steps and using the respective codes, you can effectively encrypt your EFS file systems using CMK.