Ensure EFS is securely encrypted

ID

efs_volume_encryption_disabled

Severity

high

Vendor

AWS

Resource

EFS

Tags

reachable

Description

Amazon Elastic File System (Amazon EFS) provides simple, scalable file storage for use with your Amazon ECS tasks. You can use Amazon EFS file systems with Amazon ECS to access file system data across your fleet of Amazon ECS tasks

To provide an additional layer of data protection to secure your data from unauthorized access, it’s recommended to enable encryption for the EFS volumes.

Examples

CloudFormation

{
  "Resources": {
    "MyEfs": { (1)
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "PerformanceMode": "maxIO",
        "LifecyclePolicies": [
          {
            "TransitionToIA": "AFTER_30_DAYS"
          }
        ],
        "FileSystemTags": [
          {
            "Key": "Name",
            "Value": "TestFileSystem"
          }
        ]
      }
    }
  }
}
1 Missing Encrypted property value means EFS volume is not being encrypted. 
Resources:
  MyEfs: (1)
    Type: 'AWS::EFS::FileSystem'
    Properties:
      PerformanceMode: maxIO
      LifecyclePolicies:
        - TransitionToIA: AFTER_30_DAYS
      FileSystemTags:
        - Key: Name
          Value: TestFileSystem
1 Missing Encrypted property value means EFS volume is not being encrypted.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MyEfs": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "PerformanceMode": "maxIO",
        "Encrypted": true, (1)
        "LifecyclePolicies": [
          {
            "TransitionToIA": "AFTER_30_DAYS"
          }
        ],
        "FileSystemTags": [
          {
            "Key": "Name",
            "Value": "TestFileSystem"
          }
        ]
      }
    }
  }
}
1 Encrypted set to true means EFS volume is encrypted. 
Resources:
  MyEfs:
    Type: 'AWS::EFS::FileSystem'
    Properties:
      PerformanceMode: maxIO
      Encrypted: true (1)
      LifecyclePolicies:
        - TransitionToIA: AFTER_30_DAYS
      FileSystemTags:
        - Key: Name
          Value: TestFileSystem
1 Encrypted set to true means EFS volume is encrypted.

Runtime

AWS Console

To change the policy go to the Amazon Management Console:

  • Open the AWS EFS Console.

  • Click Create file system.

  • Select Enable encryption.

  • To enable encryption using your own KMS CMK key, from the KMS master key list select the name of your AWS Key.

CLI Command

aws efs create-file-system --creation-token $(uuidgen) --performance-mode generalPurpose --encrypted --kms-key-id u<cmk-key-alias>