More Info:

Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular control over your data-at-rest encryption/decryption process.

Risk Level

High

Address

Security

Compliance Standards

GDPR,NIST

Remediation

How to enable EFS Encryption with Customer Master Keys

Using AWS Console

  1. Log in to the AWS Management Console using your AWS account credentials.
  2. Navigate to the Amazon EFS service by selecting “EFS” from the services menu. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “AWS KMS Customer Master Keys For EFS Encryption” Policy.)
  3. In the EFS dashboard, select the EFS file system for which you want to enable encryption with CMK.
  4. In the file system details page, click on the “Actions” button and select “Modify file system.”
  5. In the “Modify file system” dialog box, scroll down to the “Encryption” section.
  6. Select the option “Use customer managed CMK (AWS Key Management Service)” for encryption.
  7. Choose the desired CMK from the “Customer managed CMK” dropdown menu. Make sure the CMK has the appropriate permissions.
  8. Optionally, you can enable the “Encrypt data in transit” option to encrypt data in transit as well.
  9. Click on the “Save” button to apply the encryption settings to the EFS file system.
  10. AWS will start the process of encrypting the data at rest using the specified CMK.
  11. Monitor the progress of the encryption process in the EFS dashboard.
  12. Once the encryption process is complete, the EFS file system will be encrypted using the customer-managed key.

Additional Reading: