🛡️ AWS EFS File System is not encrypted with KMS CMK🟢

Contextual name: 🛡️ File System is not encrypted with KMS Customer Master Key🟢
ID: /ce/ca/aws/efs/file-system-cmk-encryption
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS EFS File System
- 🔌 AWS KMS Key - object.extracts.yaml
- 🔌 AWS EFS File System - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
Cloud Conformity: AWS KMS Customer Master Keys for EFS Encryption

Description

Here’s a more polished and professional version of your text, with improved clarity, consistency, and tone while preserving the original meaning:

Description

This policy identifies AWS EFS file systems that are encrypted using AWS-managed keys (the default keys applied by the EFS service when no customer-managed keys are specified) rather than AWS KMS customer-managed keys (CMKs). Using CMKs provides greater control over encryption key management, access policies, and auditing capabilities compared to AWS-managed keys.

Rationale

Encrypting data at rest adds an important layer of security by protecting stored data from unauthorized access to the underlying storage. Although AWS provides a default managed key (aws/elasticfilesystem) for EFS encryption, using a customer-managed keys offers several additional security and governance benefits:

Enhanced Control: Full ownership of the key lifecycle, including creation, rotation, and permission management.

Improved Auditing: Detailed key usage visibility through AWS CloudTrail, enabling precise tracking of when and how encryption keys are used.

... see more

Remediation

Open File

Remediation

Encrypt EFS File System Using KMS CMK

Encryption at rest for Amazon EFS can only be enabled during the creation of the file system. It is not possible to enable encryption or change the KMS key for an existing file system.

From Command Line
Create a customer-managed KMS key:
aws kms create-key \
    --region {{us-east-1}} \
    --description "CMK for EFS data encryption"
(Optional) Create an alias for the CMK:
aws kms create-alias \
    --region {{us-east-1}} \
    --alias-name {{alias/efs-cmk}} \
    --target-key-id {{cmk-arn}}
Create a new EFS file system using the CMK:
aws efs create-file-system \
    --region {{us-east-1}} \
    --creation-token {{unique-token}} \
    --encrypted \
    --kms-key-id {{cmk-arn}}
Create mount targets for the new file system (repeat for each AZ):
aws efs create-mount-target \
    --region {{us-east-1}} \
    --file-system-id {{new-file-system-id}} \
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS		1	2	no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			19	no data
💼 Cloudaware Framework → 💼 Data Encryption			66	no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			16	no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			16	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	40	no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	35	no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	24	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40	no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		35	no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			40	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		35	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			173	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			149	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			169	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			39	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		29	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	36	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	24	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			25	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Remediation​

Remediation​

Encrypt EFS File System Using KMS CMK​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Remediation

Remediation

Encrypt EFS File System Using KMS CMK

From Command Line

policy.yaml

Linked Framework Sections