Ensure EFS file system is encrypted by KMS using a customer managed Key (CMK)

Error: AWS Elastic File System (EFS) not encrypted using Customer Managed Key
Bridgecrew Policy ID: BC_AWS_GENERAL_104
Checkov Check ID: CKV_AWS_184
Severity: MEDIUM

AWS Elastic File System (EFS) not encrypted using Customer Managed Key

Description

This policy identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.

Fix - Runtime

AWS Console

AWS EFS Encryption of data at rest can only be enabled during file system creation. So to resolve this alert, create a new EFS with encryption enabled with the customer-managed key, then migrate all required data from the reported EFS to this newly created EFS and delete reported EFS.

To create new EFS with encryption enabled, perform the following:

  1. Sign into the AWS console
  2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated
  3. Navigate to EFS dashboard
  4. Click on 'File systems' (Left Panel)
  5. Click on 'Create file system' button
  6. On the 'Configure file system access' step, specify EFS details as per your requirements and Click on 'Next Step'
  7. On the 'Configure optional settings' step, Under 'Enable encryption' Choose 'Enable encryption of data at rest' and Select customer managed key [i.e. Other than (default)aws/elasticfilesystem] from 'Select KMS master key' dropdown list along with other parameters and Click on 'Next Step'
  8. On the 'Review and create' step, Review all your setting and Click on 'Create File System' button

To delete reported EFS which does not has encryption, perform the following:

  1. Sign into the AWS console
  2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated
  3. Navigate to EFS dashboard
  4. Click on 'File systems' (Left Panel)
  5. Select the reported file system
  6. Click on 'Actions' drop-down
  7. Click on 'Delete file system'
  8. In the 'Permanently delete file system' popup box, To confirm the deletion enter the file system's ID and Click on 'Delete File System

Fix - Buildtime

Terraform

  • Resource: aws_efs_file_system
  • Arguments: encrypted
resource "aws_efs_file_system" "enabled" {
  creation_token = "example"
  kms_key_id = <kms key>
}