EFS Encryption Enabled
More Info:
Ensure that your Amazon EFS file systems are encrypted in order to meet security and compliance requirements. Your data is transparently encrypted while being written and transparently decrypted while being read from your file system, therefore the encryption process does not require any additional action from you or your application. Encryption keys are managed by AWS KMS service, eliminating the need to build and maintain a secure key management infrastructure.Risk Level
HighAddress
SecurityCompliance Standards
HIPAA, GDPR, CISAWS, CBP, NISTTriage and Remediation
Check Cause
Using Console
Using Console
- Log in to the AWS Management Console and open the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
- In the navigation pane, choose APIs. This will display a list of all your APIs.
- Select the API you want to check. This will open the API Gateway dashboard for the selected API.
- In the API Gateway dashboard, navigate to the “Settings” section. Here, look for the “Encryption” settings. If the “Encrypt Data at Rest” option is enabled, then EFS encryption is enabled for the API Gateway. If not, then EFS encryption is not enabled.
Using CLI
Using CLI
-
Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local system and configure it with your AWS account credentials. You can do this by running the following commands:
Installation:
Configuration:You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
-
List all the API Gateways: Use the following command to list all the API Gateways in your AWS account:
This command will return a list of all the Rest APIs in your AWS account.
-
Get the details of each API Gateway: For each API Gateway, use the following command to get its details:
Replace
{rest-api-id}with the ID of the API Gateway you want to check. This command will return the details of the specified API Gateway. -
Check the EFS Encryption: Unfortunately, AWS API Gateway does not directly support EFS encryption. Therefore, you cannot check EFS encryption enabled in API Gateway using AWS CLI. However, you can check if the EFS file systems that your API Gateway may interact with are encrypted. Use the following command to list all your EFS file systems:
For each file system, check the
Encryptedfield in the output. If it istrue, then the file system is encrypted. If it isfalse, then it is not encrypted.
Using Python
Using Python
To check if EFS Encryption is enabled in API Gateway using Python scripts, you can use the Boto3 library, which allows you to directly interact with AWS services such as API Gateway. Here are the steps:
-
Import the Boto3 library in Python:
Boto3 is the Amazon Web Services (AWS) Software Development Kit (SDK) for Python, which allows Python developers to write software that makes use of AWS services like Amazon S3, Amazon EC2, etc. To use Boto3, you first need to import it.
-
Create a session using your AWS credentials:
You need to provide your AWS credentials (access key and secret access key) to Boto3 so it can interact with AWS services on your behalf. You can do this by creating a session.
-
Create an API Gateway client:
Once you have a session, you can create a client for API Gateway. This client will provide you with methods to interact with API Gateway.
-
Check if EFS Encryption is enabled:
Now you can use the client to retrieve information about your APIs and check if EFS Encryption is enabled. Here is a simple example:
This script will print out whether EFS Encryption is enabled for each of your APIs.