AWS EFS Volume Does Not Enforce Data-at-Rest Encryption Using KMS CMKs

Description:

Amazon Elastic File System (EFS) provides the option to encrypt data-at-rest using AWS Key Management Service (KMS) customer master keys (CMKs). If EFS volumes are not encrypted using KMS CMKs, it could mean that the data is either unencrypted or encrypted with the default AWS encryption key, which might not meet specific compliance and regulatory requirements.

Remediation:

1. Encrypt the EFS Volume using KMS CMK:

AWS Management Console:

Navigate to the EFS service.
Choose the file system that you want to encrypt.
In the File system settings section, select Edit.
Turn on Encryption.
Choose the custom KMS key for encryption.
Select Save changes.

Note: It's important to note that EFS does not support enabling encryption on already created file systems with KMS CMKs directly. You would need to create a new encrypted file system with the specific KMS CMK and migrate your data.

AWS CLI:

To create a new EFS encrypted with a specific KMS CMK:

aws efs create-file-system --encrypted --kms-key-id <KMS-CMK-ID>

Replace <KMS-CMK-ID> with your KMS customer master key ID.

Terraform:

resource "aws_efs_file_system" "example" {
  creation_token = "my-product"

  encrypted     = true
  kms_key_id    = aws_kms_key.example.arn

  lifecycle_policy {
    transition_to_ia = "AFTER_30_DAYS"
  }
}

resource "aws_kms_key" "example" {
  description             = "example"
  deletion_window_in_days = 10
}

In this Terraform configuration, the EFS file system is encrypted using a custom KMS CMK. Ensure you have the appropriate permissions and configurations for the KMS key.

Recommendation:

To meet stringent compliance and regulatory standards, always encrypt sensitive data-at-rest using KMS CMKs. Regularly review and audit your EFS volumes to confirm they are encrypted using the desired KMS keys. Ensure to manage and rotate your KMS keys according to best practices.

Updated 5 months ago