Control: 1 Amazon EFS should be configured to encrypt file data at rest using AWS KMS
Description
This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases.
Encryptedis set to false in the DescribeFileSystems response.- The
KmsKeyIdkey in the DescribeFileSystems response does not match theKmsKeyIdparameter for efs-encrypted-check.
Note that this control does not use the KmsKeyId parameter for efs-encrypted-check. It only checks the value of Encrypted.
For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system. To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS.
Remediation
For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_efs_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_efs_1 --shareSQL
This control uses a named query:
select arn as resource, case when encrypted then 'ok' else 'alarm' end as status, case when encrypted then title || ' encrypted at rest.' else title || ' not encrypted at rest.' end as reason , region, account_idfrom aws_efs_file_system;