🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: EFS file systems should be encrypted with CMK

Description

Ensure AWS Elastic File Systems (AWS EFS) are encrypted using CMK. The rule is non-compliant if the EFS File System is not encrypted using CMK.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.efs_file_system_encrypted_with_cmk

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.efs_file_system_encrypted_with_cmk --share

SQL

This control uses a named query:

with aws_efs_file_systems as (
  select
    arn,
    encrypted,
    kms_key_id,
    title,
    region,
    account_id,
    tags,
    _ctx
  from
    aws_efs_file_system as fs
  order by
    arn,
    kms_key_id,
    title,
    region,
    account_id,
    tags,
    _ctx
  ),
kms_keys as (
  select
    k.key_manager,
    k.arn,
    k.region,
    k.account_id,
    k.enabled
  from
    aws_kms_key as k
),
encrypted_fs as (
  select
    fs.arn as arn,
    key_manager
  from
    aws_efs_file_systems as fs
    left join kms_keys as k on fs.kms_key_id = k.arn
  where
    enabled
)
select
  f.arn as resource,
  case
    when not encrypted then 'alarm'
    when encrypted and e.key_manager = 'CUSTOMER' then 'ok'
    else 'alarm'
  end as status,
  case
    when not encrypted then title || ' not encrypted.'
    when encrypted and e.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.'
    else title || ' not encrypted with CMK.'
  end as reason
  
  , f.region, f.account_id
from
  aws_efs_file_systems as f
  left join encrypted_fs as e on f.arn = e.arn;

Tags

category = Compliance
cisa_cyber_essentials = true
plugin = aws
service = AWS/EFS