Description:

Amazon Elastic File System (Amazon EFS) provides simple, scalable, highly available, and highly durable shared file systems in the cloud. The file systems you create using Amazon EFS are elastic, allowing them to grow and shrink automatically as you add and remove data. They can grow in size to petabytes, distributing data across an unconstrained number of storage servers in multiple Availability Zones (AZs).


Rational:

Data encrypted at rest is transparently encrypted while being written, and transparently decrypted while being read, so you don’t have to modify your applications. Encryption keys are managed by the AWS Key Management Service (KMS), eliminating the need to build and maintain a secure key management infrastructure.


Impact:

Encrypt your EFS file systems to protect your data and metadata from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.


Default:

By default AWS EFS will encrypt the data.


Pre-requisites:

  1. Create a File system


Remediation:


Test Plan:

  1. Log in to the AWS Management Console.

  2. Navigate to Elastic File System (EFS) dashboard at https://console.aws.amazon.com/efs/.

  3. In the left navigation panel, select File Systems.

  4. Click on the file system you want to examine, details will be shown up check the status under encrypted


Using AWS CLI:

aws efs describe-file-systems \
    --file-system-id <value>


Implementation Steps:

Note: There is no way to edit the existing File system, we need to create the new File System with encryption enabled, copy data from the old file system to the new file system and delete the old one.

  1. Log in to the AWS Management Console.

  2. Navigate to Elastic File System (EFS) dashboard at https://console.aws.amazon.com/efs/.

  3. In the left navigation panel, select File Systems.

  4. Click on create a file system

  5. Give the File system Name, select the VPC and click on Create

    Note: By creating the file system from the above step encryption will be enabled by default with the default master key provided and managed by AWS KMS. This default master key is an AWS-managed key that is created automatically for the EFS service within your AWS account.

    If you want to cross-check the Encryption follow the below steps

  6. Click on Customize 

  7. Make sure Encryption is enabled under the Encryption section

  8. Just keep clicking on the Next button by checking all the details and click on Create 
  9. Copy the data from the source (old) EFS file system onto the new one
  10.  Click on Next
  11.  In-network Access  mention VPC 
  12.  Click on Next
  13. Check the check box if you want to provide any access 
  14. Click on Next 
  15. Click on review and create 

Using AWS CLI:

To Create a file 

aws efs create-file-system
  --region us-east-1
  --creation-token cli-d7164e1d-ada4-4c01-b433-d33b1cada665
  --performance-mode generalPurpose
  --encrypted


Backout Plan:

You can’t edit the existing File System, so you can not revoke the changes.


References:

Basic Concepts and Terminology - Encrypting File Data with Amazon Elastic File System