Description
EFS data should be encrypted at rest using AWS KMS (Key Management Service).
Rationaleβ
Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.
Auditβ
From Consoleβ
- Login to the AWS Management Console and Navigate to
Elastic File System(EFS) dashboard. - Select
File Systemsfrom the left navigation panel. - Each item on the list has a visible Encrypted field that displays data at rest encryption status.
- Validate that this field reads
Encryptedfor all EFS file systems in all AWS regions.
From Command Lineβ
- Run
describe-file-systemscommand using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region:
aws efs describe-file-systems --region <region> --output table --query 'FileSystems[*].FileSystemId'
- The command output should return a table with the requested file system IDs.
- Run
describe-file-systemscommand using the ID of the file system that you want to examine as identifier and the necessary query filters:
aws efs describe-file-systems --region <region> --file-system-id <file-system-id from step 2 output> --query 'FileSystems[*].Encrypted'
- The command output should return the file system encryption status
trueorfalse. If the returned value isfalse, the selected AWS EFS file system is not encrypted and if the returned value istrue, the selected AWS EFS file system is encrypted.
Default Valueβ
EFS file system data is encrypted at rest by default when creating a file system via the Console. Encryption at rest is not enabled by default when creating a new file system using the AWS CLI, API, and SDKs.