Amazon Elastic File System (Amazon EFS)
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. Amazon Elastic File System (Amazon EFS)

      EFS systems Referencing Deleted KMS Key

      This plugin guarantees that legitimate KMS keys are used to encrypt EFS file systems

      Risk Level: Medium

      Description: 

      This plugin guarantees that legitimate KMS keys are used to encrypt EFS file systems. If an encryption key has been destroyed, an issue will be reported.

      About the Service :

      Amazon EFS is a scalable file storage system that works with Amazon EC2. For workloads and applications operating on several instances, an EFS file system may be used as a shared data source. With no need for maintenance or provisioning, Amazon Elastic File System (Amazon EFS) expands and shrinks as the files are added or deleted.

      Impact : 

      In case the encryption key is deleted, there are greater chances of unauthorized access and the compliance requirements will not be met.

      Steps to reproduce :

      1. Log in to the AWS Management Console.
      2. Navigate to the Amazon EFS dashboard.
        https://ap-south-1.console.aws.amazon.com/efs/ 
      3. Click on File systems on the left navigation panel.
      4. Click on the file system that you want to examine.
      5. Check whether it shows the encryption is enabled or not and if the encryption key is present or not. If the encryption key has been deleted that means it is not following the best security practices.
      6. Repeat the same steps for other file systems as well.

      Steps for remediation :

      1. Log in to the AWS Management Console.
      2. Navigate to the Amazon EFS dashboard.
      3. https://ap-south-1.console.aws.amazon.com/efs/ 
      5. Click on File systems on the left navigation panel.
      6. Click on the file system that you want to examine.
      7. Check whether it shows the encryption is enabled or not and if the encryption key is present or not. If the encryption key has been deleted that means it is not following the best security practices.
      8. Navigate to KMS dashboard and click on Customer Managed Keys.
      9. Next, click on Create Key and then choose the required options in the Configure key and click Next.
      10. In the Add labels section, add the alias and description and click Next.
      11. Next, define Key administrative permissions and Define key usage permissions. Finally, review and click Finish.
      12. Now, navigate to the EFS dashboard and click on Create new file system
      13. Fill in all the necessary details required in the File System Settings dialogue box.
      14. In the encryption table, select enable encryption and fill in the CMK created earlier.
      15. Fill in all the details in the Network Access tab.
      16. Click next, and then select the most appropriate options of File System Policy.

        Click Next and then click Create.
      17. Take the copy of the data of the old file system in this file system and then delete the old file system.
        Repeat the same steps for other file systems as well.

      References: