Profile Applicability

  • Level 1

Description:

Amazon Elastic File System (EFS) is a scalable file storage service for use with AWS Cloud services and on-premises resources. Encryption at rest protects data stored in EFS by encrypting the file system's data, ensuring that the data is unreadable without proper access controls. Enabling encryption for EFS file systems ensures that all data is encrypted and secure when stored in the cloud.

By enabling encryption at rest for EFS file systems, organizations can protect sensitive data from unauthorized access and meet compliance requirements for data protection.

Rationale:

Encrypting EFS file systems at rest provides the following benefits:

  • Data protection: Ensures that the file system’s data is encrypted while at rest and cannot be read without the appropriate keys.

  • Compliance: Meets regulatory requirements such as HIPAA, PCI-DSS, or GDPR, which mandate data encryption.

  • Security best practices: Reduces the risk of unauthorized access to data and prevents data exposure in the event of physical or network breaches.

Without enabling encryption, data stored in the EFS file system may be exposed to unauthorized access, compromising data confidentiality and integrity.

Impact:

Failure to enable encryption for EFS file systems can result in:

  • Exposure of sensitive data to unauthorized access.

  • Violation of compliance standards that require encryption of data at rest.

  • Increased risk of data breaches or loss of confidential information.

Enabling encryption ensures that EFS file systems are secure and meet required compliance and security standards.

Default Value:

By default, encryption is not enabled for newly created EFS file systems. It must be explicitly configured during the creation of the file system to ensure that data is encrypted at rest.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • efs:CreateFileSystem

    • efs:DescribeFileSystems

    • efs:PutEncryptionAtRest

  • EFS file system must be created or available for encryption configuration

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the Amazon EFS Console.

  2. Select the EFS file system for which you want to enable encryption.

  3. Verify that encryption is enabled under the File system details section. The encryption status should indicate Encryption at rest: Enabled.

  4. Ensure that the encryption key used is a KMS key that is properly managed and accessible by authorized users only.

Using AWS CLI :

aws efs describe-file-systems --query "FileSystems[?Encrypted==`true`].{FileSystemId:FileSystemId, Encrypted:Encrypted}" --output table

To verify that encryption at rest is enabled:

aws efs describe-file-systems --file-system-id <file-system-id> --query "FileSystems[0].Encrypted" --output table
Implementation Plan:

Using AWS Console:

  1. Enable encryption for EFS file systems:

    • Go to the Amazon EFS Console.

    • When creating a new file system, under the Encryption section, select Enable encryption at rest and specify the KMS key to use for encryption.

    • For an existing file system, if encryption was not enabled during creation, you cannot directly enable encryption at rest. You would need to create a new encrypted file system and migrate the data.

  2. Verify encryption settings:

    • In the EFS Console, ensure that the file system encryption status is Enabled.

Using AWS CLI:

  1. Enable encryption at rest when creating a new file system:

aws efs create-file-system --creation-token <creation-token> --performance-mode generalPurpose --encrypted

  1. Check encryption status for an existing file system:

aws efs describe-file-systems --file-system-id <file-system-id> --query "FileSystems[0].Encrypted" --output table

Backout Plan:

Using AWS Console:

  1. If enabling encryption causes performance issues or other errors:

    • Go to the Amazon EFS Console.

    • If the encryption is causing operational issues, consider creating a new file system with the correct encryption settings, and migrate your data accordingly.

    • For existing unencrypted file systems, you will need to manually migrate the data to a new encrypted file system as encryption cannot be enabled after creation.

  2. Modify KMS key policies to control access if there are issues related to KMS key permissions.

Using AWS CLI:

  1. Temporarily disable encryption:

    • Encryption cannot be disabled for existing unencrypted file systems. The recommended backout plan is to create a new encrypted file system and migrate the data.

  2. Stop using the KMS key:

aws efs delete-file-system --file-system-id <file-system-id>

  1. Re-enable encryption by creating a new encrypted file system if needed:

aws efs create-file-system --creation-token <creation-token> --performance-mode generalPurpose --encrypted

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services