Open menu
-->

AWS KMS Customer Master Keys for EFS Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular control over your data-at-rest encryption/decryption process.

This rule resolution is part of the Cloud Conformity Security Package

When you define and use your own KMS CMK customer-managed keys to protect the EFS file systems data and metadata, you gain full control over who can use these keys to access the data (including the system metadata). The AWS KMS service allows you to create, rotate, disable and audit CMK encryption keys for your file systems.

Audit

To determine the encryption status and configuration for your AWS EFS file systems, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elastic File System (EFS) dashboard at https://console.aws.amazon.com/efs/.

03 In the left navigation panel, select File Systems.

04 Choose the EFS file system that you want to examine then click on the Show/Hide Details button:

Show/Hide Details button

to expand the panel with the file system configuration details.

05 On the selected file system panel, within Other details section, make sure that the Encrypted attribute value is set to Yes (otherwise see this rule to enable file system encryption), then check the encryption key name set for the KMS key alias attribute. If the key alias (name) is "aws/elasticfilesystem", the selected EFS file system is encrypted using the default master key (AWS-managed key) instead of the KMS CMK customer-managed key.

06 Repeat step no. 4 and 5 to verify the encryption status and configuration for other file systems provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-file-systems command (OSX/Linux/UNIX) using custom query filters to list the identifiers (IDs) of all AWS EFS file systems currently available within the selected region:

aws efs describe-file-systems
	--region us-east-1
	--output table
	--query 'FileSystems[*].FileSystemId'

02 The command output should return a table with the requested file system IDs:

---------------------
|DescribeFileSystems|
+-------------------+
|   fs-9b690cd2     |
|   fs-b5597cd9     |
+-------------------+

03 Run again describe-file-systems command (OSX/Linux/UNIX) using the ID of the file system that you want to examine as identifier and the necessary query filters to describe the alias of the encryption key used to encrypt the data for the selected EFS file system:

aws efs describe-file-systems
	--region us-east-1
	--file-system-id fs-9b690cd2
	--query 'FileSystems[*].KmsKeyId'

04 The command output should return the requested KMS key alias/name in use or an empty array such as [ ], if there is no key used to encrypt the file system data and metadata, i.e. the encryption is not enabled (see this rule to enable encryption):

[
    "aws/elasticfilesystem"
]

If the key alias returned by the command output is "aws/elasticfilesystem", the selected EFS file system is encrypted using the default master key (AWS-managed key) instead of a KMS CMK customer-managed key.

05 Repeat step no. 3 and 4 to verify the encryption key type and status for other Amazon EFS file systems available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To encrypt an existing AWS EFS file system with your own AWS KMS CMK customer-managed key you must copy the data from the existing file system onto the new one, that has the encryption feature enabled. To create the necessary KMS CMK customer-managed key and set up the new EFS file system, enable custom encryption and copy your existing data to it, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

4 Select the appropriate AWS region from the Filter menu (must match the region where your file system is provisioned).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the file system data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the EFS file system data and metadata. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: <the CMK display name>”.

12 Now that the necessary KMS CMK customer-managed key has been provisioned, navigate to Elastic File System (EFS) dashboard at https://console.aws.amazon.com/efs/ to create the new file system.

13 In the left navigation panel, select File Systems.

14 Click Create File System button from the dashboard top menu to start the file system setup process.

15 On the Configure file system access configuration page, perform the following actions:

  1. Choose the right VPC from the VPC dropdown list. Note that only the EC2 instances provisioned within the selected VPC can access the new file system.
  2. Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These are your mount targets. By selecting a mount target for each Availability Zone within the VPC, all the EC2 instances across your VPC can access the new file system.
  3. Click Next step to continue the setup process.

16 On the Configure optional settings page, perform the following:

  1. Inside Add tags section, create tags to describe your new file system.
  2. Select General Purpose (default) or Max I/O from Choose performance mode section to set up the performance mode for your file system based on your requirements.
  3. Check Enable encryption checkbox and choose the alias (name) of the AWS KMS Customer Master Key (CMK) created earlier from Select KMS master key dropdown list to enable encryption using your own KMS CMK key. To use a CMK key from another AWS account, choose Enter a KMS key ARN from another account option and provide the ARN of the foreign KMS key within the ARN/ID box.
  4. Click Next Step to continue.

17 On the Review and create page, review the file system configuration details then click Create File System to create your new AWS EFS file system.

18 Now you can mount your file system from an EC2 instance with an NFSv4 client installed. You can also mount your file system from on-premises servers over an AWS Direct Connect connection. For EC2 mount and on-premises mount instructions use the links provided within the EFS confirmation message:

EFS confirmation message

19 Copy the data from the source (old) EFS file system onto the new one.

20 As soon as the data migration process is completed and all the data is loaded into your new (encrypted) file system, you can remove the source file system (encrypted with AWS-managed key) from your AWS account to avoid further charges by performing the following actions:

  1. Connect to your AWS EC2 instance and unmount the necessary EFS file system.
  2. Choose the Amazon EFS file system that you want to delete from the list of file systems available.
  3. Click the Action dropdown button from the dashboard top menu and select Delete file system option.
  4. Inside the Permanently delete file system dialog box, type the file system ID for the EFS file system that you want to delete, then choose Delete File System to confirm the action.

21 Repeat steps no. 14 - 20 to enable data-at-rest encryption for other Amazon EFS file systems available within the current region, using AWS KMS CMK keys.

22 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Before creating your KMS CMK key, you must define a policy that enables your selected IAM users and/or roles to administer the new KMS customer-managed key and to encrypt/decrypt file system data using the AWS KMS API. Create a new policy document called efs-kms-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "efs-file-system-custom-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK key manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonEFSManage"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/EFSAdministrator"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/EFSAdministrator"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. efs-kms-cmk-policy.json) as required command parameter to create the new KMS CMK customer-managed key:

aws kms create-key
	--region us-east-1
	--description 'KMS CMK key for encrypting EFS file system data'
	--policy file://efs-kms-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the CMK unique ID (KeyID parameter value - highlighted) as this ID will be required later when you need to specify the CMK key required for file system data encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "2cay029b-g12c-6dad-8e23-e8040c125d87",
        "Description": "KMS CMK key for encrypting EFS file system data",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1502962344.314,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/62g32c20-e4cb-4ad2-931e-58a1a36a39f8",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias (identifier) to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
	--region us-east-1
	--alias-name alias/EFSManagedCMK
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/62g32c20-e4cb-4ad2-931e-58a1a36a39f8

05 Run describe-file-systems command (OSX/Linux/UNIX) to describe the configuration information available for the selected file system (see Audit section part II to identify the right resource):

aws efs describe-file-systems
	--region us-east-1
	--file-system-id fs-9b60cd2

06 The command output should return the requested configuration information which will be useful later when the new EFS file system will be created:

{
    "FileSystems": [
        {
            "SizeInBytes": {
                "Value": 47124509430
            },
            "CreationToken": "console-d2654e1d-ada4-4c01-b433-d13cd8a135",
            "CreationTime": 1502962192.0,
            "PerformanceMode": "generalPurpose",

            ...

            "FileSystemId": "fs-9b690cd2",
            "NumberOfMountTargets": 6,
            "LifeCycleState": "available",
            "OwnerId": "123456789012"
        }
    ]
}

07 Run create-file-system command (OSX/Linux/UNIX) using the existing file system (encrypted with AWS-managed key) configuration details returned at the previous step to create a new and empty Amazon EFS file system, encrypted with the KMS CMK key created earlier. The following command example creates a new file system where data will be encrypted with the CMK key identified by the ID "2cay029b-g12c-6dad-8e23-e8040c125d87":

aws efs create-file-system
	--region us-east-1
	--creation-token cli-c118e4e1d-ada4-4c01-b433-d33b1cabe644
	--performance-mode generalPurpose
	--encrypted
	--kms-key-id 2cay029b-g12c-6dad-8e23-e8040c125d87

08 The command output should return the new file system configuration metadata:

{
    "SizeInBytes": {
        "Value": 0
    },
    "CreationToken": "cli-c118e4e1d-ada4-4c01-b433-d33b1cabe644",
    "CreationTime": 1502962966.0,
    "PerformanceMode": "generalPurpose",
    "FileSystemId": "fs-ca9613f7",
    "NumberOfMountTargets": 0,
    "LifeCycleState": "creating",
    "OwnerId": "123456789012"
}

09 Run create-mount-target command (OSX/Linux/UNIX) using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target (change the --subnet-id value accordingly and execute this command for each AZ that you want to use as mount target):

aws efs create-mount-target
	--region us-east-1
	--file-system-id fs-ca9613f7
	--subnet-id subnet-d86ac01d

10 The command output should return the new mount target metadata:

{
    "MountTargetId": "fsmt-d35927ae",
    "NetworkInterfaceId": "eni-48833d3c",
    "FileSystemId": "fs-bd7613f4",
    "LifeCycleState": "creating",
    "SubnetId": "subnet-5a17c01d",
    "OwnerId": "123456789012",
    "IpAddress": "172.31.19.3"
}

11 You can mount your file system now from an EC2 instance with an NFSv4 client installed. You can also mount your file system from a on-premises server over an AWS Direct Connect connection. For EC2 mount and on-premises mount instructions use the links provided within the confirmation message:

confirmation message

12 Copy the data from the old EFS file system onto the new one.

13 As soon as the data migration process is completed and all the data is loaded into your new file system, you can remove the source file system from your AWS account by executing delete-file-system command (OSX/Linux/UNIX) using the ID of the file system that you want to delete as identifier (the command does not produce an output):

aws efs delete-file-system
	--region us-east-1
	--file-system-id fs-9b690cd2

14 Repeat steps no. 5 - 13 to enable data-at-rest encryption for other Amazon EFS file systems available in the current region, using AWS KMS CMK keys.

15 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 14 for other regions.

References

Publication date 2017-22-09