The encryption for the EFS is without KMS

ID

aws_efs_without_kms

Severity

high

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

The encryption for the EFS is without KMS. Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys. Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.

To fix it you must configure the property kms_key_id.

Learn more about this topic at AWS EFS Encryption.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: EFS provisioning
      community.aws.efs:
        state: present
        name: myTestEFS
        encrypt: true
        tags:
            Name: myTestNameTag
            purpose: file-storage
        targets:
            - subnet_id: subnet-748c5d03
              security_groups: [ "sg-1a2b3c4d" ]

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: EFS provisioning
      community.aws.efs:
        state: present
        name: myTestEFS
        encrypt: true
        kms_key_id: "kms_key_id"
        tags:
            Name: myTestNameTag
            purpose: file-storage
        targets:
            - subnet_id: subnet-748c5d03
              security_groups: [ "sg-1a2b3c4d" ]