Remediation
Encrypt EFS File System Using KMS CMKβ
Encryption at rest for Amazon EFS can only be enabled during the creation of the file system. It is not possible to enable encryption or change the KMS key for an existing file system.
From Command Lineβ
-
Create a customer-managed KMS key:
aws kms create-key \
--region {{us-east-1}} \
--description "CMK for EFS data encryption" -
(Optional) Create an alias for the CMK:
aws kms create-alias \
--region {{us-east-1}} \
--alias-name {{alias/efs-cmk}} \
--target-key-id {{cmk-arn}} -
Create a new EFS file system using the CMK:
aws efs create-file-system \
--region {{us-east-1}} \
--creation-token {{unique-token}} \
--encrypted \
--kms-key-id {{cmk-arn}} -
Create mount targets for the new file system (repeat for each AZ):
aws efs create-mount-target \
--region {{us-east-1}} \
--file-system-id {{new-file-system-id}} \
--subnet-id {{subnet-id}} -
Mount the new file system and migrate data from the existing EFS file system using standard file copy tools (for example,
rsync). -
Delete the original EFS file system after validating the migration:
aws efs delete-file-system \
--region us-east-1 \
--file-system-id {{old-file-system-id}}