AWS EFS Volume is Not Encrypted

Description:

Amazon Elastic File System (EFS) is a scalable file storage for EC2 instances and various AWS services. Data encryption at rest is a security feature that helps prevent unauthorized access to your data. If an EFS volume is not encrypted, sensitive data could be exposed if the underlying storage infrastructure is compromised.

Remediation:

1. Encrypt the EFS Volume:

AWS Management Console:

• Navigate to the EFS service.
• Choose the file system that you want to encrypt.
• In the File system settings section, select Edit.
• Turn on Encryption.
• Choose the key to use for encryption (either the default key provided by AWS or a custom KMS key).
• Select Save changes.

Note: It's important to mention that EFS does not support enabling encryption on already created file systems. You would need to create a new encrypted file system and migrate your data.

AWS CLI:

Since EFS does not support adding encryption to an existing volume directly, you'd need to create a new encrypted file system:

aws efs create-file-system --encrypted --kms-key-id <KMS-KEY-ID>

Replace <KMS-KEY-ID> with your KMS key ID if you're not using the default AWS key.

Terraform:

resource "aws_efs_file_system" "example" {
  creation_token = "my-product"

  encrypted     = true
  kms_key_id    = aws_kms_key.example.arn

  lifecycle_policy {
    transition_to_ia = "AFTER_30_DAYS"
  }
}

resource "aws_kms_key" "example" {
  description             = "example"
  deletion_window_in_days = 10
}

In the above Terraform configuration, the EFS file system is encrypted using a custom KMS key. If you want to use the default AWS key, you can simply remove the kms_key_id argument.

Recommendation:

Always encrypt sensitive data at rest, whether it's stored in databases, file systems, or storage volumes. Regularly audit your EFS volumes to ensure encryption is enabled, and use AWS-provided tools and services like AWS Key Management Service (KMS) to manage encryption keys securely.