Ensure AWS EFS with encryption for data at rest is enabled

Error: AWS EFS with encryption for data at rest is disabled

Bridgecrew Policy ID: BC_AWS_GENERAL_17
Checkov Check ID: CKV_AWS_42
Severity: MEDIUM

AWS EFS with encryption for data at rest is disabled

Description

Amazon Elastic File System (Amazon EFS) is a simple, scalable file storage solution for AWS services and on-premises resources. Amazon EFS is built to elastically scale on-demand. It grows and shrinks automatically as files are added and removed.

It is essential to encrypt your Amazon EFS to protect data and metadata against unauthorized access. Encrypting your Amazon EFS also fulfils compliance requirements for data-at-rest encryption when file systems are used in production systems.

Fix - Runtime

Amazon Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon Elastic File System console.
  3. To open the file system creation wizard, click Create file system.
  4. Select Enable encryption.
  5. To enable encryption using your own KMS CMK key, from the KMS master key list select the name of your AWS Key.

CLI Command

In the CreateFileSystem operation, the --encrypted parameter is a Boolean and is required for creating encrypted file systems. The --kms-key-id is required only when you use a customer-managed CMK and you include the key’s alias or ARN.

aws efs create-file-system \
--creation-token $(uuidgen) \
--performance-mode generalPurpose \
--encrypted \
--kms-key-id user/customer-managedCMKalias

Fix - Buildtime

Terraform

  • Resource: aws_efs_file_system
  • Arguments: encrypted - (Optional) If true, the disk will be encrypted. If you are using AWS KMS you can optionally provides a KMS customer master key.
resource "aws_efs_file_system" "example"{
  ...
  creation_token                = "default-efs"
+ encrypted                   = true
+ kms_key_id = aws_kms_key.default-kms.arn
}

CloudFormation

  • Resource: AWS::EFS::FileSystem
  • Arguments: Encrypted - (Optional) If true, the disk will be encrypted. If you are using AWS KMS you can optionally provides a KMS customer master key.
Resources:
  FileSystemResource:
    Type: 'AWS::EFS::FileSystem'
    Properties:
      ...
+     Encrypted: true