AWS KMS Customer Master Keys For EFS Encryption

More Info:

Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular control over your data-at-rest encryption/decryption process.

Risk Level

High

Address

Security

Compliance Standards

ISO27001, HIPAA

Triage and Remediation

Cause
Remediation

Check Cause

Using Console

Sign in to the AWS Management Console.
Navigate to the API Gateway console. You can do this by typing “API Gateway” in the search bar and selecting it from the dropdown menu.
In the API Gateway console, select the API you want to check.
In the API details page, select the “Stages” option from the left-hand side menu. Here, you can see all the stages of your API. Click on the stage you want to check.
In the stage editor, select the “Logs/Tracing” tab. Here, you can see the “CloudWatch Settings”. If the “Enable CloudWatch Logs” option is not selected, it means that AWS KMS Customer Master Keys for EFS Encryption is not enabled in API Gateway.

Using CLI

First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.
Once AWS CLI is installed and configured, you can use the following command to list all the API Gateways:
```
aws apigateway get-rest-apis
```
This command will return a list of all the API Gateways along with their details.
Now, to check the AWS KMS Customer Master Keys for EFS Encryption, you need to list all the resources of each API Gateway. You can do this by using the following command:
```
aws apigateway get-resources --rest-api-id <rest-api-id>
```
Replace <rest-api-id> with the ID of the API Gateway you want to check. This command will return a list of all the resources of the specified API Gateway.
Finally, for each resource, you need to check the aws:kms:KeyArn property. If this property is not set or is set to a key that is not a Customer Master Key, then the EFS Encryption is misconfigured. You can do this by using the following command:
```
aws apigateway get-integration --rest-api-id <rest-api-id> --resource-id <resource-id> --http-method <http-method>
```
Replace <rest-api-id>, <resource-id>, and <http-method> with the ID of the API Gateway, the ID of the resource, and the HTTP method of the integration, respectively. This command will return the details of the integration, including the aws:kms:KeyArn property.

Using Python

Install and configure AWS SDK for Python (Boto3) on your local system. This will allow you to interact with AWS services using Python.

pip install boto3
aws configure

Create a Python script that uses Boto3 to list all the API Gateways in your AWS account.

import boto3

def list_api_gateways():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()
    return response['items']

api_gateways = list_api_gateways()

For each API Gateway, check if the EFS encryption is enabled. If the EFS encryption is not enabled, the API Gateway is misconfigured.

def check_efs_encryption(api_gateways):
    client = boto3.client('kms')
    misconfigured_gateways = []
    for gateway in api_gateways:
        try:
            response = client.describe_key(KeyId=gateway['id'])
            if response['KeyMetadata']['KeyState'] != 'Enabled':
                misconfigured_gateways.append(gateway['name'])
        except Exception as e:
            print(f"Error checking EFS encryption for {gateway['name']}: {e}")
    return misconfigured_gateways

misconfigured_gateways = check_efs_encryption(api_gateways)

Print out the names of the misconfigured API Gateways.

print("Misconfigured API Gateways:")
for gateway in misconfigured_gateways:
    print(gateway)

This script will list all the API Gateways in your AWS account and check if the EFS encryption is enabled for each one. If the EFS encryption is not enabled, the script will print out the name of the API Gateway.

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration of KMS Customer Master Keys for EFS Encryption in AWS using the AWS console:

Log in to the AWS Management Console and navigate to the Amazon EFS service.
Select the EFS file system that is currently using the default AWS-managed CMK for encryption.
Click on the “Modify” button in the top menu bar.
In the “Modify File System” page, scroll down to the “Encryption” section.
Select “Customer managed CMK” from the “Key Management” drop-down menu.
Choose the desired KMS Customer Master Key from the “Select a CMK” drop-down menu.
Click on the “Save” button to save the changes.
Once the changes are saved, the EFS file system will start using the selected KMS Customer Master Key for encryption.
Repeat the above steps for all the other EFS file systems that are currently using the default AWS-managed CMK for encryption.

By following the above steps, you can remediate the misconfiguration of KMS Customer Master Keys for EFS Encryption in AWS using the AWS console.

Using CLI

The misconfiguration “AWS KMS Customer Master Keys for EFS Encryption” means that the EFS file system is not using a KMS Customer Master Key (CMK) for encryption. To remediate this, you can follow these steps using AWS CLI:

Create a KMS Customer Master Key (CMK) if you don’t have one already:

aws kms create-key --description "EFS CMK"

Enable the key for EFS use:

aws kms enable-key --key-id <kms_key_id> --key-usage ENCRYPT_DECRYPT --grant-permissions "GranteePrincipal=ec2.amazonaws.com,Operations=['Encrypt','Decrypt']"

Note: Replace <kms_key_id> with the ID of the KMS CMK created in step 1.

Modify the EFS file system to use the KMS CMK:

aws efs update-file-system --file-system-id <efs_file_system_id> --encrypted --kms-key-id <kms_key_id>

Note: Replace <efs_file_system_id> with the ID of the EFS file system and <kms_key_id> with the ID of the KMS CMK created in step 1.

Verify that the EFS file system is using the KMS CMK for encryption:

aws efs describe-file-systems --file-system-id <efs_file_system_id> --query "FileSystems[*].KmsKeyId"

Note: Replace <efs_file_system_id> with the ID of the EFS file system.If the output of the command in step 4 shows the KMS CMK ID, then the remediation is successful.

Using Python

To remediate the misconfiguration of using AWS KMS Customer Master Keys for EFS Encryption, you can follow the below steps using Python:Step 1: Create a new AWS KMS Customer Master Key (CMK) for EFS Encryption.

import boto3

kms = boto3.client('kms')

response = kms.create_key(
    Description='EFS CMK',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS',
    CustomerMasterKeySpec='SYMMETRIC_DEFAULT'
)

key_id = response['KeyMetadata']['KeyId']

Step 2: Update the EFS file system to use the new CMK for encryption.

efs = boto3.client('efs')

response = efs.update_file_system(
    FileSystemId='fs-12345678',
    Encrypted=True,
    KmsKeyId=key_id
)

Step 3: Enable EFS encryption for all new file systems using the new CMK.

response = efs.put_account_preferences(
    ResourceId='123456789012',
    Encrypted=True,
    KmsKeyId=key_id
)

Note: Replace fs-12345678 with the ID of the EFS file system you want to update, and 123456789012 with your AWS account ID.By following these steps, you can remediate the misconfiguration of using AWS KMS Customer Master Keys for EFS Encryption.

Additional Reading:

https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html

Documentation Index

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

​Remediation

​

​Additional Reading: