Detections
Analytics

Ensure Customer Managed Keys (CMK) are used for encryption of AWS Elastic File System (EFS)

HIGH

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

A KMS key can only be selected for file systems when creating a new resource. To create a new EFS resource with a customer managed key, follow the steps below.

In AWS Console -

  1. Sign in to AWS Console and open the EFS console.
  2. Select Create file system.
  3. Select Customize.
  4. Under Encryption, ensure Enable encryption of data at rest is selected.
  5. Expand the Customize encryption settings menu and in the KMS key drop-down, choose the KMS key to be used.
  6. Select Next and continue through the creation wizard, setting other fields appropriately.
  7. Select Create.

In Terraform -

  1. In the aws_efs_file_system resource, ensure that encrypted is set to true.
  2. Enter the correct KMS key ARN into the kms_key_id field.

References:
https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system

Policy Details

Rule Reference ID: AC_AWS_0098
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_efs_file_system
Resource Category: Storage
Resource Type: Elastic File System (EFS)

Frameworks