turbot/steampipe-mod-aws-compliance

Control: 8 EFS file systems should be encrypted at rest

Description

This control checks whether an Amazon EFS file system encrypts data with AWS Key Management Service (AWS KMS). The control fails if a file system isn't encrypted.

Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it.

Remediation

To enable encryption at rest for a new EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_efs_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_efs_8 --share

SQL

This control uses a named query:

with aws_efs_file_systems as (
select
arn,
encrypted,
kms_key_id,
title,
region,
account_id,
tags,
_ctx
from
aws_efs_file_system as fs
order by
arn,
kms_key_id,
title,
region,
account_id,
tags,
_ctx
),
kms_keys as (
select
k.key_manager,
k.arn,
k.region,
k.account_id,
k.enabled
from
aws_kms_key as k
),
encrypted_fs as (
select
fs.arn as arn,
key_manager
from
aws_efs_file_systems as fs
left join kms_keys as k on fs.kms_key_id = k.arn
where
enabled
)
select
f.arn as resource,
case
when not encrypted then 'alarm'
when encrypted and e.key_manager = 'CUSTOMER' then 'ok'
else 'alarm'
end as status,
case
when not encrypted then title || ' not encrypted.'
when encrypted and e.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.'
else title || ' not encrypted with CMK.'
end as reason
, f.region, f.account_id
from
aws_efs_file_systems as f
left join encrypted_fs as e on f.arn = e.arn;

Tags