turbot/aws_compliance

Query: efs_file_system_encrypted_with_cmk

Usage

powerpipe query aws_compliance.query.efs_file_system_encrypted_with_cmk

SQL

with aws_efs_file_systems as (
select
arn,
encrypted,
kms_key_id,
title,
region,
account_id,
tags,
_ctx
from
aws_efs_file_system as fs
order by
arn,
kms_key_id,
title,
region,
account_id,
tags,
_ctx
),
kms_keys as (
select
k.key_manager,
k.arn,
k.region,
k.account_id,
k.enabled
from
aws_kms_key as k
),
encrypted_fs as (
select
fs.arn as arn,
key_manager
from
aws_efs_file_systems as fs
left join kms_keys as k on fs.kms_key_id = k.arn
where
enabled
)
select
f.arn as resource,
case
when not encrypted then 'alarm'
when encrypted and e.key_manager = 'CUSTOMER' then 'ok'
else 'alarm'
end as status,
case
when not encrypted then title || ' not encrypted.'
when encrypted and e.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.'
else title || ' not encrypted with CMK.'
end as reason
, f.region, f.account_id
from
aws_efs_file_systems as f
left join encrypted_fs as e on f.arn = e.arn;

Controls

The query is being used by the following controls: