Control: 8 EFS file systems should be encrypted at rest
Description
This control checks whether an Amazon EFS file system encrypts data with AWS Key Management Service (AWS KMS). The control fails if a file system isn't encrypted.
Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it.
Remediation
To enable encryption at rest for a new EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_efs_8
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_efs_8 --share
SQL
This control uses a named query:
with aws_efs_file_systems as ( select arn, encrypted, kms_key_id, title, region, account_id, tags, _ctx from aws_efs_file_system as fs order by arn, kms_key_id, title, region, account_id, tags, _ctx ),kms_keys as ( select k.key_manager, k.arn, k.region, k.account_id, k.enabled from aws_kms_key as k),encrypted_fs as ( select fs.arn as arn, key_manager from aws_efs_file_systems as fs left join kms_keys as k on fs.kms_key_id = k.arn where enabled)select f.arn as resource, case when not encrypted then 'alarm' when encrypted and e.key_manager = 'CUSTOMER' then 'ok' else 'alarm' end as status, case when not encrypted then title || ' not encrypted.' when encrypted and e.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.' else title || ' not encrypted with CMK.' end as reason , f.region, f.account_idfrom aws_efs_file_systems as f left join encrypted_fs as e on f.arn = e.arn;