EFS File System Encryption is Disabled

Overview

Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.

EFS file system data is encrypted at rest by default when creating a file system via the Console. Encryption at rest is not enabled by default when creating a new file system using the AWS CLI, API, and SDKs.

Remediation:

EFS file system data at rest encryption must be turned on when creating the file system. If an EFS file system has been created without data at rest encryption enabled then you must create another EFS file system with the correct configuration and transfer the data.

Vendor

AWS

Cloud Service

EFS

Input

{"kmsKeyId":{"label":"KMS Key ARN","helpText":"Amazon Resource Name (ARN) of the KMS key that should be used to encrypt the EFS file system.","value":"","type":"string"}}

CIS AWS v1.5.0 2.4.1, EFS.1

References

https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html, https://awscli.amazonaws.com/v2/documentation/api/latest/reference/efs/index.html#efs

Severity

Item Types

AWS::EFS::FileSystem

Overview​

Vendor​

Cloud Service​

Input​

Related Controls​

References​

Severity​

Item Types​