AWS KMS Customer Master Keys For EFS Encryption

More Info:

Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular control over your data-at-rest encryption/decryption process.

Risk Level

High

Address

Security

Compliance Standards

ISO27001, HIPAA

Triage and Remediation

Check Cause

Using Console

Using CLI

First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.
Once AWS CLI is installed and configured, you can use the following command to list all the API Gateways:
```
aws apigateway get-rest-apis
```
This command will return a list of all the API Gateways along with their details.
Now, to check the AWS KMS Customer Master Keys for EFS Encryption, you need to list all the resources of each API Gateway. You can do this by using the following command:
```
aws apigateway get-resources --rest-api-id <rest-api-id>
```
Replace <rest-api-id> with the ID of the API Gateway you want to check. This command will return a list of all the resources of the specified API Gateway.
Finally, for each resource, you need to check the aws:kms:KeyArn property. If this property is not set or is set to a key that is not a Customer Master Key, then the EFS Encryption is misconfigured. You can do this by using the following command:
```
aws apigateway get-integration --rest-api-id <rest-api-id> --resource-id <resource-id> --http-method <http-method>
```
Replace <rest-api-id>, <resource-id>, and <http-method> with the ID of the API Gateway, the ID of the resource, and the HTTP method of the integration, respectively. This command will return the details of the integration, including the aws:kms:KeyArn property.

Using Python

Install and configure AWS SDK for Python (Boto3) on your local system. This will allow you to interact with AWS services using Python.

pip install boto3
aws configure

Create a Python script that uses Boto3 to list all the API Gateways in your AWS account.

import boto3

def list_api_gateways():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()
    return response['items']

api_gateways = list_api_gateways()

For each API Gateway, check if the EFS encryption is enabled. If the EFS encryption is not enabled, the API Gateway is misconfigured.

def check_efs_encryption(api_gateways):
    client = boto3.client('kms')
    misconfigured_gateways = []
    for gateway in api_gateways:
        try:
            response = client.describe_key(KeyId=gateway['id'])
            if response['KeyMetadata']['KeyState'] != 'Enabled':
                misconfigured_gateways.append(gateway['name'])
        except Exception as e:
            print(f"Error checking EFS encryption for {gateway['name']}: {e}")
    return misconfigured_gateways

misconfigured_gateways = check_efs_encryption(api_gateways)

Print out the names of the misconfigured API Gateways.

print("Misconfigured API Gateways:")
for gateway in misconfigured_gateways:
    print(gateway)

This script will list all the API Gateways in your AWS account and check if the EFS encryption is enabled for each one. If the EFS encryption is not enabled, the script will print out the name of the API Gateway.

Additional Reading:

https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

AWS KMS Customer Master Keys For EFS Encryption

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause

Additional Reading: