EFS is not encrypted
ID |
aws_efs_not_encrypted |
Severity |
high |
Vendor |
AWS |
Resource |
Encryption |
Tags |
reachable |
Description
EFS is not encrypted. Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. You can enable encryption of data at rest when creating an Amazon EFS file system. You can enable encryption of data in transit when you mount the file system.
If the EFS is not encrypted, then any user with access can see the content.
To fix it you must create a new EFS with encrypt=true, by default, is false.
Learn more about this topic at AWS EFS Encryption.
Examples
---
- name: Example playbook
hosts: localhost
tasks:
- name: EFS provisioning
community.aws.efs:
state: present
name: myTestEFS
tags:
Name: myTestNameTag
purpose: file-storage
targets:
- subnet_id: subnet-748c5d03
security_groups: [ "sg-1a2b3c4d" ]Mitigation / Fix
---
- name: Example playbook
hosts: localhost
tasks:
- name: EFS provisioning
community.aws.efs:
state: present
name: myTestEFS
encrypt: true
kms_key_id: "kms_key_id"
tags:
Name: myTestNameTag
purpose: file-storage
targets:
- subnet_id: subnet-748c5d03
security_groups: [ "sg-1a2b3c4d" ]