Profile Applicability:

  • Level 1

Description:

Amazon Elastic File System (EFS) provides scalable, elastic file storage for use with AWS Cloud services and on-premises resources. It supports both general-purpose and performance file system modes, providing the flexibility to use it for a wide range of use cases. Encryption at rest in Amazon EFS ensures that all data stored on the file system is encrypted using AWS-managed keys (AWS KMS) or customer-managed keys (CMK) to protect sensitive data from unauthorized access.

This SOP ensures that EFS encryption at rest is enabled to secure data, meet compliance standards, and prevent data exposure in the event of unauthorized access to storage resources.

Rationale:

  • Data Security: Encryption at rest protects sensitive data by ensuring it is unreadable to unauthorized users or services, even if they gain access to the underlying storage infrastructure.

  • Compliance: Many compliance frameworks, such as PCI-DSS, HIPAA, and SOC 2, require the use of encryption at rest to protect sensitive data. Enabling encryption at rest helps meet these requirements.

  • Risk Mitigation: Encryption at rest ensures that, even in the event of a physical or logical breach, the data remains protected and unreadable without the appropriate decryption keys.

Impact:

Pros:

  • Enhanced Security: Encrypts data on disk, reducing the risk of unauthorized access to sensitive information stored on EFS.

  • Compliance: Helps meet regulatory requirements for data protection and encryption standards.

  • Data Integrity: Ensures that data is protected both in transit and at rest, improving the overall security posture of your infrastructure.

Cons:

  • Performance Impact: Enabling encryption at rest may incur a slight performance overhead due to the encryption/decryption processes.

  • Management Complexity: Managing encryption keys, especially customer-managed keys (CMKs), may require additional effort and knowledge of AWS Key Management Service (KMS).

Default Value:

By default, Amazon EFS does not enable encryption at rest. However, it provides an option to enable encryption when creating the file system or to modify the encryption settings later.

Pre-requisite:

  • AWS IAM Permissions:

    • efs:DescribeFileSystems

    • efs:CreateFileSystem

    • efs:UpdateFileSystem

    • kms:CreateKey (if using a customer-managed key)

  • AWS CLI installed and configured.

  • Amazon EFS instance already created or ready to be created.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EFS under Services.

  3. In the EFS Console, select the file system you want to check.

  4. In the File System details, check if Encryption at rest is enabled.

    • If enabled, you will see that encryption at rest is marked as "Enabled".

    • If disabled, encryption at rest is not configured, and you need to modify the settings.

Using AWS CLI:

To check if encryption at rest is enabled, run:

aws efs describe-file-systems --query "FileSystems[*].{FileSystemId:FileSystemId,Encrypted:Encrypted}"

The output should show "true" for the Encrypted field if encryption at rest is enabled, and "false" if it is not.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon EFS.

  2. Select the EFS file system you want to modify.

  3. In the File System details section, look for the Encryption at Rest option.

  4. Enable encryption at rest if it is disabled:

    • Click on Edit, select Enable encryption at rest, and confirm.
      If creating a new file system, select the Enable encryption at rest option when configuring the file system.

Using AWS CLI:

To enable encryption at rest for an existing EFS file system, run:

aws efs update-file-system --file-system-id <file-system-id> --encrypted

To create a new EFS file system with encryption at rest enabled, run:

aws efs create-file-system --performance-mode generalPurpose --encrypted

Verify the changes by running the describe command:

aws efs describe-file-systems --query "FileSystems[*].{FileSystemId:FileSystemId,Encrypted:Encrypted}"


Backout Plan:

If enabling encryption at rest causes issues (e.g., performance degradation or incompatible applications):

Identify the affected EFS file system and review any errors or performance metrics.

Disable encryption at rest (if applicable and necessary):

aws efs update-file-system --file-system-id <file-system-id> --no-encrypted

Monitor the file system to ensure that access is restored and verify performance metrics.

Note:

  • Customer-Managed Keys (CMK): If you are using customer-managed keys (CMKs) for encryption, ensure that you manage the keys properly in AWS Key Management Service (KMS) and regularly rotate them as part of your key management practices.

  • Key Rotation: If using CMKs, it is important to rotate the keys periodically to enhance security and reduce the risk of key compromise.

  • EFS Performance: Enabling encryption at rest can introduce a small performance overhead. Test the performance impact on your workloads before implementing in production.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.