Ensuring EFS File System Encryption at Rest Rule
This rule emphasizes enabling EFS file system encryption at rest to enhance data security and compliance.
| Rule | EFS file system encryption at rest should be enabled |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ High |
Rule Name: EFS File System Encryption at Rest for GDPR compliance
Rule Description:
Enabling encryption at rest for the EFS (Elastic File System) is a crucial security requirement to ensure compliance with the General Data Protection Regulation (GDPR) when storing sensitive data. EFS encryption provides an additional layer of protection, ensuring that data remains secure even when stored on disk.
Troubleshooting Steps:
If encryption at rest for EFS is not enabled, follow the below troubleshooting steps:
- 1.Verify the current status of EFS encryption at rest:
- Use the AWS CLI or AWS Management Console to check if encryption at rest is enabled for the relevant EFS file system.
- If encryption is not enabled, proceed to the remediation steps.
Remediation Steps:
To enable EFS file system encryption at rest for GDPR compliance, follow the steps below:
- 1.
Open the AWS Management Console and navigate to the "Amazon EFS" dashboard.
- 2.
Select the appropriate EFS file system for which you want to enable encryption at rest.
- 3.
Click on the "Actions" button and choose the "Modify File System" option.
- 4.
Scroll down to the "Encryption" section and select the "Encrypt" option.
- 5.
Choose the appropriate AWS Key Management Service (KMS) Key for encryption. Ensure that the selected KMS key has the necessary permissions and is compliant with GDPR requirements.
- 6.
Click on the "Save" button to apply the changes.
- 7.
Wait for the modification to complete. The status of the EFS file system should change to "Updating."
- 8.
Verify the encryption status by checking the properties of the EFS file system. The encryption option should be enabled.
CLI Command:
Alternatively, you can use AWS CLI to enable EFS file system encryption at rest using the following command:
aws efs update-file-system --file-system-id <efs-file-system-id> --encrypted --kms-key-id <kms-key-id>
Replace
<efs-file-system-id><kms-key-id>Make sure you have the necessary permissions to execute this command successfully.
Note:
Enabling encryption at rest for EFS may incur additional costs for KMS key usage. Please review the pricing details to understand the associated costs.
Verification:
To verify if EFS encryption at rest is successfully enabled:
- 1.
Navigate to the "Amazon EFS" dashboard in the AWS Management Console.
- 2.
Select the appropriate EFS file system that was modified for enabling encryption at rest.
- 3.
Check the details or properties of the file system.
- 4.
Ensure that the encryption option shows as enabled or as using the selected KMS key.
By following these steps, you have successfully enabled EFS file system encryption at rest to meet the General Data Protection Regulation (GDPR) requirements.