AWS-EFS-EFS-CMK-Encrypted

Severity: Medium

Description: This control ensures that EFS data is encrypted at rest using customer master key. Amazon Elastic File System (Amazon EFS) provides simple, scalable, fully managed NFS file System to store data. EFS support Encryption at rest, this property can only be enabled while creating EFS. AWS supports encryption using AWS KMS keys or customer managed keys. Encrypting EFS using CMK helps to achieve compliance requirements needed within your organization.

Remediation Steps:

Perform following to create a new encrypted EFS and copy data from unencrypted EFS:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Step 1: Create Encrypted EFS

   1. Navigate to File Systems.

   2. Select the actionable File System and expand for details and make note of the existing configuration.

   3. To create a new encrypted EFS, choose Create File System.

   4. Configure network access configuration as per actionable EFS.

   5. Choose next steps, Under Enable encryption select Enable encryption at rest.

   6. Choose the AWS customer managed key.

   7. Choose next steps, review configurations and choose create File System.

3. Step 2: Copy data to encrypted EFS

   1. Mount the old and newly created EFS on EC2 Instance or On-premise Server

   2.  Copy the Data from source EFS to new one.

   3. Once the Copy is completed. Verify the integrity of data in new EFS and once verification of data is completed, it is safe to delete the old unencrypted EFS.

Important:

 Using Customer managed keys might incur additional charges. Once an EFS is created AWS doesn't allow to modify the encryption setting.

Reference:

• https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html

• https://docs.aws.amazon.com/cli/latest/reference/efs/create-file-system.html

• https://docs.aws.amazon.com/cli/latest/reference/efs/describe-file-systems.html