Profile Applicability:

Level 1
Description:

Amazon Elastic File System (EFS) should be encrypted at rest using AWS Key Management Service (KMS) to protect stored data.

Why Encrypt EFS?

  • Prevents unauthorized access to stored files.

  • Mitigates risks from direct access to the storage device.

  • Meets security compliance standards (CIS, PCI-DSS, HIPAA, GDPR).

Rationale:

Protects sensitive data by encrypting at rest.
Encrypts automated backups & snapshots stored in AWS.
Reduces risk of data leaks if unauthorized access is attempted.
Required for compliance audits (SOC 2, ISO 27001, CIS Benchmark).


Impact:

Data security is enhanced.
Prevents unauthorized file access.
Seamless integration with AWS KMS.


Default Value:

Encryption is NOT enabled by default for EFS when using AWS CLI, API, or SDKs.
Encryption IS enabled by default when creating an EFS file system via AWS Console.

Pre-Requisites:
IAM permissions required:

  • elasticfilesystem:DescribeFileSystems

  • elasticfilesystem:CreateFileSystem

  • elasticfilesystem:DeleteFileSystem

  • kms:ListKeys
    AWS CLI installed for automation.

Remediation:

Test Plan:

Using AWS Console

Step 1: Check EFS Encryption Status

  1. Log in to the AWS Management Console

  2. Navigate to Amazon EFS Console → EFS Dashboard

     

  1. Click File Systems in the left panel.

             

  1. Check the Encryption column:

    • If Enabled → EFS is encrypted

    • If Disabled → EFS is not encrypted and must be remediated

Audit Steps Using AWS CLI

Step 1: List All EFS File Systems in a Region

aws efs describe-file-systems --region <region> --query 'FileSystems[*].FileSystemId'

This command returns a list of all EFS file system IDs.

Step 2: Check Encryption Status for Each EFS

aws efs describe-file-systems --region <region> --file-system-id <file-system-id> --query 'FileSystems[*].Encrypted'

Expected Output (If Encrypted):

[

    true

]

Implementation steps:

Using AWS Console

Encryption must be enabled during EFS creation. If an EFS is unencrypted, migrate data to a new encrypted EFS.

Method 1: Create an Encrypted EFS via AWS Console

Step 1: Create a New Encrypted EFS

  1. Log in to the AWS Console

  2. Navigate to Amazon EFS Console

       

  1. Click Create File System

  

  1. Choose a VPC & Availability Zones

   

  1. Under Encryption, select Enable Encryption

     

  1. Choose AWS KMS Key (aws/elasticfilesystem)

   

  1. Click Next → Create File System

       

Step 2: Migrate Data from Old Unencrypted EFS

  1. Mount the old EFS on an EC2 instance.

  2. Mount the new encrypted EFS.Copy data using the rsync command:

    rsync -avz /old-efs-mount /new-encrypted-efs-mount


  1. Unmount the old EFS.

  2. Delete the old unencrypted EFS.

Method 2: Create an Encrypted EFS via AWS CLI

Step 1: Create a New Encrypted EFS

aws efs create-file-system --region <region> --performance-mode generalPurpose --encrypted

This creates a new encrypted EFS using AWS KMS.

Step 2: Create Mount Targets for the Encrypted EFS

aws efs create-mount-target --region <region> --file-system-id <new-file-system-id> --subnet-id <subnet-id>

Creates mount targets for accessing the encrypted EFS.

Step 3: Migrate Data from Old EFS to New Encrypted EFS

  1. Mount old & new EFS on an EC2 instance.

    rsync -avz /mnt/old-efs /mnt/new-encrypted-efs


  1. Unmount the old EFS.

Delete the old unencrypted EFS:

aws efs delete-file-system --region <region> --file-system-id <old-file-system-id>

Backout Plan:

If enabling encryption causes issues:

  1. Revert back to the old unencrypted EFS.

  2. Unmount the new encrypted EFS.

  3. Modify application configurations to use the old EFS.

  4. Monitor system logs for performance impact.

References: