Description
EFS data should be encrypted at rest using AWS KMS (Key Management Service).
Rationaleβ
Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.
Auditβ
From Consoleβ
- Log in to the AWS Management Console and navigate to the
Elastic File System(EFS) dashboard. - Select
File Systemsfrom the left navigation panel. - Each item on the list has a visible
Encryptedfield that displays the data-at-rest encryption status. - Validate that this field reads
Encryptedfor all EFS file systems in all AWS regions.
From Command Lineβ
-
Run the
describe-file-systemscommand using custom query filters to list the identifiers of all AWS EFS file systems currently available within the selected region:aws efs describe-file-systems --region {{region-name}} --output table --query 'FileSystems[*].FileSystemId' -
The command output should return a table with the requested file system IDs.
-
Run the
describe-file-systemscommand using the ID of the file system that you want to examine as the identifier and the necessary query filters:aws efs describe-file-systems --region {{region-name}} --file-system-id {{file-system-id}} --query 'FileSystems[*].Encrypted' -
The command output should return the file system encryption status
trueorfalse. If the returned value isfalse, the selected AWS EFS file system is not encrypted. If the returned value istrue, the selected AWS EFS file system is encrypted.
Default Valueβ
EFS file system data is encrypted at rest by default when creating a file system via the Console. Encryption at rest is not enabled by default when creating a new file system using the AWS CLI, API, and SDKs.