v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2.3.1 Ensure that encryption is enabled for EFS file systems

Description

EFS data should be encrypted at rest using AWS KMS (Key Management Service).

Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.

Remediation

It is important to note that EFS file system data-at-rest encryption must be turned on when creating the file system. If an EFS file system has been created without data-at-rest encryption enabled, then you must create another EFS file system with the correct configuration and transfer the data.

Steps to create an EFS file system with data encrypted at rest:

From Console:

  1. Login to the AWS Management Console and Navigate to Elastic File System (EFS) dashboard.
  2. Select File Systems from the left navigation panel.
  3. Click Create File System button from the dashboard top menu to start the file system setup process.
  4. On the Configure file system access configuration page, perform the following actions.
  • Choose an appropriate VPC from the VPC dropdown list.
  • Within the Create mount targets section, check the boxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets.
  • Click Next step to continue.
  1. Perform the following on the Configure optional settings page.
  • Create tags to describe your new file system.
  • Choose performance mode based on your requirements.
  • Check Enable encryption checkbox and choose aws/elasticfilesystem from Select KMS master key dropdown list to enable encryption for the new file system, using the default master key provided and managed by AWS KMS.
  • Click Next step to continue.
  1. Review the file system configuration details on the review and create page and then click Create File System to create your new AWS EFS file system.
  2. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system.
  3. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed.
  4. Change the AWS region from the navigation bar and repeat the entire process for other aws regions.

From CLI:

  1. Run the describe-file-systems command to view the configuration information for the selected unencrypted file system identified in the Audit steps:
aws efs describe-file-systems --region <region> --file-system-id <file-system-id>
  1. The command output should return the requested configuration information.
  2. To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) to create the token required by the create-file-system command. To create the required token, you can use a randomly generated UUID from "https://www.uuidgenerator.net".
  3. Run the create-file-system command using the unique token created at the previous step:
aws efs create-file-system --region <region> --creation-token <Token (randomly generated UUID from step 3)> --performance-mode generalPurpose --encrypted
  1. The command output should return the new file system configuration metadata.
  2. Run the create-mount-target command using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target:
aws efs create-mount-target --region <region> --file-system-id <file-systemid> --subnet-id <subnet-id>
  1. The command output should return the new mount target metadata.
  2. Now you can mount your file system from an EC2 instance.
  3. Copy the data from the old unencrypted EFS file system onto the newly create encrypted file system.
  4. Remove the unencrypted file system as soon as your data migration to the newly create encrypted file system is completed:
aws efs delete-file-system --region <region> --file-system-id <unencryptedfile-system-id>
  1. Change the AWS region by updating the --region and repeat the entire process for the other AWS regions.

Default Value:

EFS file system data is encrypted at rest by default when creating a file system through the Console. However, encryption at rest is not enabled by default when creating a new file system using the AWS CLI, API, or SDKs.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v400_2_3_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v400_2_3_1 --share

SQL

This control uses a named query:

efs_file_system_encrypt_data_at_rest

Tags

category = Compliance
cis = true
cis_item_id = 2.3.1
cis_level = 1
cis_section_id = 2.3
cis_type = automated
cis_version = v4.0.0
plugin = aws
service = AWS/EFS