Skip to main content

πŸ“ AWS EFS File System encryption is not enabled 🟒

  • Contextual name: πŸ“ File System encryption is not enabled 🟒
  • ID: /ce/ca/aws/efs/file-system-encryption
  • Located in: πŸ“ AWS EFS

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-966d31831

Logic​

Description​

Open File

Description​

EFS data should be encrypted at rest using AWS KMS (Key Management Service).

Rationale​

Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.

Audit​

From Console​
  1. Login to the AWS Management Console and Navigate to Elastic File System (EFS) dashboard.
  2. Select File Systems from the left navigation panel.
  3. Each item on the list has a visible Encrypted field that displays data at rest encryption status.
  4. Validate that this field reads Encrypted for all EFS file systems in all AWS regions.
From Command Line​
  1. Run describe-file-systems command using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region:
aws efs describe-file-systems --region <region> --output table --query 'FileSystems[*].FileSystemId'
  1. The command output should return a table with the requested file system IDs.
  2. Run describe-file-systems command using the ID of the file system that you want to examine as identifier and the necessary query filters:

... see more

Remediation​

Open File

Remediation​

It is important to note that EFS file system data at rest encryption must be turned on when creating the file system. If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.

Steps to create an EFS file system with data encrypted at rest:

From Console​

  1. Login to the AWS Management Console and Navigate to Elastic File System (EFS) dashboard.

  2. Select File Systems from the left navigation panel.

  3. Click Create File System button from the dashboard top menu to start the file system setup process.

  4. On the Configure file system access configuration page, perform the following actions.

  • Choose the right VPC from the VPC dropdown list.

  • Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These will be your mount targets.

  • Click Next step to continue.

  1. Perform the following on the Configure optional settings page.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52c appropriate encryption, cleansing and auditing of devices;99
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2122
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 2.4.1 Ensure that encryption is enabled for EFS file systems - Level 1 (Manual)1
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 2.4.1 Ensure that encryption is enabled for EFS file systems - Level 1 (Manual)1
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 2.4.1 Ensure that encryption is enabled for EFS file systems - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 2.3.1 Ensure that encryption is enabled for EFS file systems (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 2.3.1 Ensure that encryption is enabled for EFS file systems (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 2.3.1 Ensure that encryption is enabled for EFS file systems (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption42
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2526
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1624
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1724
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)514
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)124
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)14
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1819
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-1: Data-at-rest is protected1528
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-28 PROTECTION OF INFORMATION AT REST233
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks20
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection413
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31625
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1014
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection12
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4.1 If disk encryption is used, logical access must be managed separately and independently of native operating system authentication and access control mechanisms.712
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.13
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.3.2 SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.813
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable.12
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-10 Uses Encryption to Protect Data611