Amazon Elastic File System (Amazon EFS)
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. Amazon Elastic File System (Amazon EFS)

      EFS Encryption Using Default KMS Keys

      Risk Level: Low

      Description: 

      This plugin uses Customer Master Keys to encrypt EFS file systems (CMKs). To have complete control over data encryption and decryption, EFS file systems should employ KMS Customer Master Keys (CMKs) instead of AWS controlled keys.

      About the Service :

      Amazon EFS is a scalable file storage system that works with Amazon EC2. For workloads and applications operating on several instances, an EFS file system may be used as a shared data source. With no need for maintenance or provisioning, Amazon Elastic File System (Amazon EFS) expands and shrinks as the files are added or deleted.

      Impact : 

      We obtain full control over who may access the data and metadata on the EFS file systems when we design and utilise our own KMS CMK customer-managed keys to safeguard the data and metadata (including the system metadata).

      Steps to reproduce :

      1. Log in to the AWS Management Console.
      2. Navigate to the Amazon EFS dashboard.
        https://ap-south-1.console.aws.amazon.com/efs/ 
      3. Click on File systems on the left navigation panel.
      4. Click on the file system that you want to examine.
      5. Check whether it shows the encryption is enabled or not. Also, look for the encryption key name value, if it consists aws/elasticfilesystem then the selected EFS file system is encrypted using default master key instead of KMS CMK customer managed key.
      6. Repeat the same steps for other file systems as well.

      Steps for remediation :

      1. Log in to the AWS Management Console.
      2. Navigate to the Amazon EFS dashboard.
        https://ap-south-1.console.aws.amazon.com/efs/ 
      3. Click on File systems on the left navigation panel.
      4. Click on the file system that you want to examine.
      5. Check whether it shows the encryption is enabled or not. Also, look for the encryption key name value, if it consists aws/elasticfilesystem then the selected EFS file system is encrypted using default master key instead of KMS CMK customer managed key.
      6. Navigate to KMS dashboard and click on Customer Managed Keys.
      7. Next, click on Create Key and then choose the required options in the Configure key and click Next.
      8. In the Add labels section, add the alias and description and click Next.
      9. Next, define Key administrative permissions and Define key usage permissions. Finally, review and click Finish.
      10. Now, navigate to EFS dashboard and click on Create new file system
      11. Fill in all the necessary details required in the File System Settings dialogue box.
      12. In the encryption table, select enable encryption and fill in the CMK created earlier.
      13. Fill in all the details in the Network Access tab.
      14. Click next, and then select the most appropriate options of File System Policy.
      15. Click Next and then click Create.
      16. Take the copy of the data of the old file system in this file system and then delete the old file system.
      17. Repeat the same steps for other file systems as well.

      References: