Description:
Amazon Elastic File System (EFS) is a file storage service that can be used to store sensitive data. By default, EFS data is not encrypted at rest. However, you can enable encryption at rest to protect your data from unauthorized access.

Rationale:
Encrypting EFS data at rest helps to protect your data from unauthorized access. If an attacker were to gain access to your EFS file system, they would not be able to read your data if it is encrypted.

Impact:
Enabling encryption at rest for EFS has a number of positive impacts, including:

  • Increased security: Your EFS data will be more secure, as it will be protected from unauthorized access.
  • Reduced compliance risk: Enabling encryption at rest can help you to meet your compliance requirements.
  • Improved peace of mind: Knowing that your EFS data is encrypted can give you peace of mind.

Default Value:
By default, EFS data is not encrypted at rest. This means that you will need to manually enable encryption if you want to protect your data.

Pre-requisites:
To enable encryption at rest for EFS, you will need:

  • Access to the AWS Management Console or the AWS CLI.
  • The ability to modify the configuration of your EFS file systems.

Remediation Steps:
To remediate this issue, you can follow these steps:

  1. Log in to the AWS Management Console or the AWS CLI.
  2. Go to the EFS console or the AWS CLI command line.
  3. Select the EFS file system that you want to enable encryption for.
  4. In the "Configuration" tab, scroll down to the "Encryption" section.
  5. Select the "Enable encryption" checkbox.
  6. Select the KMS key that you want to use to encrypt your data.
  7. Click the "Save" button.

Test Plan:
To test the status of encryption at rest, you can follow these steps:

  1. Log in to the AWS Management Console or the AWS CLI.
  2. Go to the EFS console or the AWS CLI command line.
  3. Select the EFS file system that you enabled encryption for.
  4. In the "Configuration" tab, scroll down to the "Encryption" section.
  5. Verify that the "Enable encryption" checkbox is selected and that the correct KMS key is listed.

Implementation Plan:
To implement this policy, you can follow these steps:

  1. Create a new AWS Identity and Access Management (IAM) policy that allows users to modify the configuration of EFS file systems.
  2. Attach the IAM policy to the IAM users or groups that need to be able to enable encryption at rest.
  3. Use the AWS Management Console or the AWS CLI to enable encryption at rest for your EFS file systems.

AWS CLI Process:
To enable encryption at rest using the AWS CLI, you can use the following command:

aws efs modify-file-system --region <region> --file-system-id <file-system-id> --enable-encryption


Using AWS GUI:
To enable encryption at rest using the AWS Management Console, you can follow these steps:

  1. Go to the AWS Management Console.
  2. Click on the "EFS" service.
  3. Click on the "File Systems" tab.
  4. Select the EFS file system that you want to enable encryption for.
  5. Click on the "Configuration" tab.
  6. Scroll down to the "Encryption" section.
  7. Select the "Enable encryption" checkbox.
  8. Select the KMS key that you want to use to encrypt your data.
  9. Click on the "Save" button.

Backout Plan:
To revoke the changes that you made to enable encryption at rest, you can follow these steps:

  1. Log in to the AWS Management Console or the AWS CLI.
  2. Go to the EFS console or the AWS CLI command line.
  3. Select the EFS file system that you enabled encryption for.
  4. In the "Configuration" tab, scroll down to the "Encryption" section.
  5. Clear the "Enable encryption" checkbox.
  6. Click the "Save" button.

Note:

  • This policy only applies to EFS file systems that are created with the "Enable encryption" checkbox selected.
  • If you have any custom configurations that depend on unencrypted data, you may need to modify those configurations after enabling encryption at rest.

References:
https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html
https://docs.aws.amazon.com/kms/latest/developerguide/