v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 1 Amazon EFS should be configured to encrypt file data at rest using AWS KMS

Description

This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases.

Note that this control does not use the KmsKeyId parameter for efs-encrypted-check. It only checks the value of Encrypted.

For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system. To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS.

Remediation

For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_efs_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_efs_1 --share

SQL

This control uses a named query:

efs_file_system_encrypt_data_at_rest

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_at_rest
foundational_security_item_id = efs_1
plugin = aws
service = AWS/EFS