Profile Applicability:
Level 1
Description:
Amazon Elastic File System (EFS) should be encrypted at rest using AWS Key Management Service (KMS) to protect stored data.
Why Encrypt EFS?
Prevents unauthorized access to stored files.
Mitigates risks from direct access to the storage device.
Meets security compliance standards (CIS, PCI-DSS, HIPAA, GDPR).
Rationale:
Protects sensitive data by encrypting at rest.
Encrypts automated backups & snapshots stored in AWS.
Reduces risk of data leaks if unauthorized access is attempted.
Required for compliance audits (SOC 2, ISO 27001, CIS Benchmark).
Impact:
Data security is enhanced.
Prevents unauthorized file access.
Seamless integration with AWS KMS.
Default Value:
Encryption is NOT enabled by default for EFS when using AWS CLI, API, or SDKs.
Encryption IS enabled by default when creating an EFS file system via AWS Console.
Pre-Requisites:
IAM permissions required:
elasticfilesystem:DescribeFileSystems
elasticfilesystem:CreateFileSystem
elasticfilesystem:DeleteFileSystem
kms:ListKeys
AWS CLI installed for automation.
Remediation:
Test Plan:
Using AWS Console
Step 1: Check EFS Encryption Status
Log in to the AWS Management Console
Navigate to Amazon EFS Console → EFS Dashboard
Click File Systems in the left panel.
Check the Encryption column:
If Enabled → EFS is encrypted
If Disabled → EFS is not encrypted and must be remediated
Audit Steps Using AWS CLI
Step 1: List All EFS File Systems in a Region
aws efs describe-file-systems --region <region> --query 'FileSystems[*].FileSystemId'
This command returns a list of all EFS file system IDs.
Step 2: Check Encryption Status for Each EFS
aws efs describe-file-systems --region <region> --file-system-id <file-system-id> --query 'FileSystems[*].Encrypted'
Expected Output (If Encrypted):
[
true
]
Implementation steps:
Using AWS Console
Encryption must be enabled during EFS creation. If an EFS is unencrypted, migrate data to a new encrypted EFS.
Method 1: Create an Encrypted EFS via AWS Console
Step 1: Create a New Encrypted EFS
Log in to the AWS Console
Navigate to Amazon EFS Console
Click Create File System
Choose a VPC & Availability Zones
Under Encryption, select Enable Encryption
Choose AWS KMS Key (aws/elasticfilesystem)
Click Next → Create File System
Step 2: Migrate Data from Old Unencrypted EFS
Mount the old EFS on an EC2 instance.
Mount the new encrypted EFS.Copy data using the rsync command:
rsync -avz /old-efs-mount /new-encrypted-efs-mount
Unmount the old EFS.
Delete the old unencrypted EFS.
Method 2: Create an Encrypted EFS via AWS CLI
Step 1: Create a New Encrypted EFS
aws efs create-file-system --region <region> --performance-mode generalPurpose --encrypted
This creates a new encrypted EFS using AWS KMS.
Step 2: Create Mount Targets for the Encrypted EFS
aws efs create-mount-target --region <region> --file-system-id <new-file-system-id> --subnet-id <subnet-id>
Creates mount targets for accessing the encrypted EFS.
Step 3: Migrate Data from Old EFS to New Encrypted EFS
Mount old & new EFS on an EC2 instance.
rsync -avz /mnt/old-efs /mnt/new-encrypted-efs
Unmount the old EFS.
Delete the old unencrypted EFS:
aws efs delete-file-system --region <region> --file-system-id <old-file-system-id>
Backout Plan:
If enabling encryption causes issues:
Revert back to the old unencrypted EFS.
Unmount the new encrypted EFS.
Modify application configurations to use the old EFS.
Monitor system logs for performance impact.