AWS EFS Volume is Not Encrypted

Description:

Amazon Elastic File System (EFS) is a scalable file storage for EC2 instances and various AWS services. Data encryption at rest is a security feature that helps prevent unauthorized access to your data. If an EFS volume is not encrypted, sensitive data could be exposed if the underlying storage infrastructure is compromised.

Remediation:

1. Encrypt the EFS Volume:

AWS Management Console:

Navigate to the EFS service.
Choose the file system that you want to encrypt.
In the File system settings section, select Edit.
Turn on Encryption.
Choose the key to use for encryption (either the default key provided by AWS or a custom KMS key).
Select Save changes.

Note: It's important to mention that EFS does not support enabling encryption on already created file systems. You would need to create a new encrypted file system and migrate your data.

AWS CLI:

Since EFS does not support adding encryption to an existing volume directly, you'd need to create a new encrypted file system:

aws efs create-file-system --encrypted --kms-key-id <KMS-KEY-ID>

Replace <KMS-KEY-ID> with your KMS key ID if you're not using the default AWS key.

Terraform:

resource "aws_efs_file_system" "example" {
  creation_token = "my-product"

  encrypted     = true
  kms_key_id    = aws_kms_key.example.arn

  lifecycle_policy {
    transition_to_ia = "AFTER_30_DAYS"
  }
}

resource "aws_kms_key" "example" {
  description             = "example"
  deletion_window_in_days = 10
}

In the above Terraform configuration, the EFS file system is encrypted using a custom KMS key. If you want to use the default AWS key, you can simply remove the kms_key_id argument.

Recommendation:

Always encrypt sensitive data at rest, whether it's stored in databases, file systems, or storage volumes. Regularly audit your EFS volumes to ensure encryption is enabled, and use AWS-provided tools and services like AWS Key Management Service (KMS) to manage encryption keys securely.

Updated 5 months ago