Rule: EFS File Systems Encrypted with CMK
Check the compliance status for encrypting EFS file systems with CMK
| Rule | EFS file systems should be encrypted with CMK |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description:
EFS (Elastic File System) file systems should be encrypted using Customer Master Keys (CMK) for complying with CISA Cyber Essentials guidelines. Encryption of EFS file systems enhances the security of sensitive data stored within the system and reduces the risk of unauthorized access or data breaches.
Troubleshooting Steps:
If you encounter any issues while encrypting EFS file systems with CMK, follow these troubleshooting steps:
- 1.
Verify AWS Key Management Service (KMS) integration: Ensure that the AWS account associated with the EFS file system has integrated Key Management Service (KMS) properly.
- 2.
Check KMS permissions: Validate that the required permissions are granted to the IAM role or user trying to encrypt the EFS file system. The necessary permissions include kms:Encrypt and kms:DescribeKey.
- 3.
Verify CMK permissions: Ensure that the CMK (Customer Master Key) has the necessary permissions to encrypt the EFS file system. The key policy should allow the IAM role or user to perform the required encryption operations.
- 4.
Confirm CMK configuration: Check the key rotation status and other configuration settings for the CMK. Ensure that the key is enabled and properly configured.
- 5.
Test EFS encryption: Attempt to encrypt a small file using the CMK. If the encryption fails, review the error message and follow any provided suggestions for resolution.
Necessary Codes:
The following code snippet demonstrates how to encrypt an EFS file system using a CMK in AWS CLI:
aws efs create-file-system \ --creation-token your-creation-token \ --encrypted \ --kms-key-id your-kms-key-id
- "creation-token" needs to be replaced with a unique value that identifies the EFS file system.
- "your-kms-key-id" should be replaced with the actual ID of your Customer Master Key (CMK) in Key Management Service (KMS).
Step-by-step Guide for Remediation:
Follow these steps to encrypt an EFS file system with a CMK using AWS CLI:
- 1.
Open the AWS Command Line Interface (CLI) or use AWS CloudShell.
- 2.
Run the following command to create an encrypted EFS file system with a CMK:
aws efs create-file-system \ --creation-token your-creation-token \ --encrypted \ --kms-key-id your-kms-key-id
- 1.
Replace "your-creation-token" with a unique value that identifies the EFS file system you want to encrypt.
- 2.
Replace "your-kms-key-id" with the actual ID of your Customer Master Key (CMK) in Key Management Service (KMS).
- 3.
Wait for the command to execute successfully. It will return the FileSystemId of the newly created encrypted EFS file system.
- 4.
Update your applications or systems to use the newly created encrypted EFS file system.
- 5.
Monitor the encryption process to ensure all data is encrypted properly.
Note:
Make sure to replace the placeholder values mentioned in the commands and consult the AWS CLI documentation for any updates or additional configuration requirements specific to your environment.