Open menu
-->

Enable AWS EFS Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that your Amazon EFS file systems are encrypted in order to meet security and compliance requirements. Your data is transparently encrypted while being written and transparently decrypted while being read from your file system, therefore the encryption process does not require any additional action from you or your application. Encryption keys are managed by AWS KMS service, eliminating the need to build and maintain a secure key management infrastructure.

This rule resolution is part of the Cloud Conformity Security Package

Cloud Conformity strongly recommends to encrypt your EFS file systems in order to protect your data and metadata from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.

Audit

To determine your Amazon EFS file systems encryption status, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elastic File System (EFS) dashboard at https://console.aws.amazon.com/efs/.

03 In the left navigation panel, select File Systems.

04 Choose the EFS file system that you want to examine then click on the Show/Hide Details button:

File System

to expand the panel with the file system configuration details.

05 On the selected file system panel, within Other details section, verify the Encrypted attribute value. If the current status/value is set to No, the selected Amazon EFS file system is not encrypted, therefore your EFS data-at-rest is not protected from unauthorized access and does not meet the compliance requirements regarding encryption.

06 Repeat step no. 4 and 5 to verify the encryption status for other file systems provisioned in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-file-systems command (OSX/Linux/UNIX) using custom query filters to list the identifiers (IDs) of all AWS EFS file systems currently available within the selected region:

aws efs describe-file-systems
	--region us-east-1
	--output table
	--query 'FileSystems[*].FileSystemId'

02 The command output should return a table with the requested file system IDs:

---------------------
|DescribeFileSystems|
+-------------------+
|   fs-9b187dd2     |
|   fs-a1197ce8     |
|   fs-ec64d889     |
+-------------------+

03 Run again describe-file-systems command (OSX/Linux/UNIX) using the ID of the file system that you want to examine as identifier and the necessary query filters to expose the encryption status for the selected Amazon EFS file system:

aws efs describe-file-systems
	--region us-east-1
	--file-system-id fs-9b187dd2
	--query 'FileSystems[*].Encrypted'

04 The command output should return the file system encryption status (true for encrypted and false for unencrypted):

[
    false
]


If the returned value is false (as shown in the output example above), the selected AWS EFS file system is not encrypted, therefore your existing EFS data-at-rest is not protected in case of unauthorized access.

05 Repeat step no. 3 and 4 for each Amazon EFS file system available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To encrypt an existing AWS EFS file system you must copy the data from the existing file system onto the new one, that has the encryption feature enabled. To set up the new EFS file system, enable encryption, and copy your existing data to it, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elastic File System (EFS) dashboard at https://console.aws.amazon.com/efs/.

03 In the left navigation panel, select File Systems.

4 Click Create File System button from the dashboard top menu to start the file system setup process.

05 On the Configure file system access configuration page, perform the following actions:

  1. Choose the right VPC from the VPC dropdown list. Note that only the EC2 instances provisioned within the selected VPC can access the new file system.
  2. Within Create mount targets section, select the checkboxes for all of the Availability Zones (AZs) within the selected VPC. These are your mount targets. By selecting a mount target for each Availability Zone within the VPC, all the EC2 instances across your VPC can access the new file system.
  3. Click Next step to continue the setup process.

06 On the Configure optional settings page, perform the following:

  1. Inside Add tags section, create tags to describe your new file system.
  2. Select General Purpose (default) or Max I/O from Choose performance mode section to set up the performance mode for your file system based on your requirements.
  3. Check Enable encryption checkbox and choose aws/elasticfilesystem from Select KMS master key dropdown list to enable encryption for the new file system using the default master key provided and managed by AWS KMS. This default master key is an AWS-managed key that is created automatically for the EFS service within your AWS account. To achieve better control over who can use the KMS key and access the encrypted data, you can create and manage your own KMS Customer Master Key (CMK) by following the instructions outlined in this conformity rule. Once your KMS CMK key is created, choose its alias from the Select KMS master key dropdown list. To use a CMK key from another AWS account, choose Enter a KMS key ARN from another account option and provide the ARN of the foreign KMS key inside the ARN/ID box.
  4. Click Next Step to continue.

07 On the Review and create page, review the file system configuration details then click Create File System to create your new AWS EFS file system.

08 Now you can mount your file system from an EC2 instance with an NFSv4 client installed. You can also mount your file system from a on-premises server over an AWS Direct Connect connection. For EC2 mount and on-premises mount instructions use the links provided within the EFS confirmation message:

EFS confirmation message

09 Copy the data from the source (old) EFS file system onto the new one.

10 As soon as the data migration process is completed and all the data is loaded into your new (encrypted) file system, you can remove the unencrypted file system from your AWS account to avoid further charges by performing the following actions:

  1. Connect to your AWS EC2 instance and unmount the unencrypted EFS file system.
  2. Choose the Amazon EFS file system that you want to delete from the list of file systems available.
  3. Click the Action dropdown button from the dashboard top menu and select Delete file system option.
  4. Inside the Permanently delete file system dialog box, type the file system ID for the EFS file system that you want to delete, then choose Delete File System to confirm the action. The removal process may take a few minutes to complete.

11 Repeat steps no. 4 - 10 to enable data-at-rest encryption for other Amazon EFS file system available in the current region.

12 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-file-systems command (OSX/Linux/UNIX) to describe the configuration information available for the selected (unencrypted) file system (see Audit section part II to identify the right resource):

aws efs describe-file-systems
	--region us-east-1
	--file-system-id fs-9b187dd2

02 The command output should return the requested configuration information which will be useful later when the new EFS file system will be created:

{
    "FileSystems": [
        {
            "SizeInBytes": {
                "Value": 64424509440
            },
            "CreationToken": "console-c2964e1d-ada4-4c01-b433-d33bada599",
            "CreationTime": 1502962192.0,
            "PerformanceMode": "generalPurpose",

            ...

            "FileSystemId": "fs-9b187dd2",
            "NumberOfMountTargets": 6,
            "LifeCycleState": "available",
            "OwnerId": "123456789012"
        }
    ]
}

03 To provision a new AWS EFS file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command, token needed by the EFS service to ensure idempotent creation (executing the command with same creation token has no effect). The idempotent operation allows you to retry a create-file-system command request without the risk of creating an extra file system. This can happen when an initial request fails in a way that leaves it uncertain whether or not the EFS file system was actually created. As long as you use the same creation token as parameter for the create-file-system command, if the initial request had succeeded in creating a file system, you can learn of its existence from the "FileSystemAlreadyExists" error returned as response. To create the required token, you can use a randomly generated UUID.

04 Run create-file-system command (OSX/Linux/UNIX) using the unique token created at the previous step and the existing (unencrypted) file system configuration details returned at the previous step to create a new and empty Amazon EFS file system with the encryption feature enabled. The new file system will be launched with the default master key used for data-at-rest encryption which is basically an AWS-managed key that is generated automatically for the EFS service when you create your AWS account:

aws efs create-file-system
	--region us-east-1
	--creation-token cli-d7164e1d-ada4-4c01-b433-d33b1cada665
	--performance-mode generalPurpose
	--encrypted

05 The command output should return the new file system configuration metadata:

{
    "SizeInBytes": {
        "Value": 0
    },
    "CreationToken": "cli-d7164e1d-ada4-4c01-b433-d33b1cada665",
    "CreationTime": 1502965112.0,
    "PerformanceMode": "generalPurpose",
    "FileSystemId": "fs-bd7613f4",
    "NumberOfMountTargets": 0,
    "LifeCycleState": "creating",
    "OwnerId": "123456789012"
}

06 Run create-mount-target command (OSX/Linux/UNIX) using the newly created EFS file system ID returned at the previous step as identifier and the ID of the Availability Zone (AZ) that will represent the mount target (change the --subnet-id value accordingly and execute this command for each AZ that you want to use as mount target):

aws efs create-mount-target
	--region us-east-1
	--file-system-id fs-bd7613f4
	--subnet-id subnet-5a17c01d

07 The command output should return the new mount target metadata:

{
    "MountTargetId": "fsmt-d35927ae",
    "NetworkInterfaceId": "eni-97733d3c",
    "FileSystemId": "fs-bd7613f4",
    "LifeCycleState": "creating",
    "SubnetId": "subnet-5a17c01d",
    "OwnerId": "123456789012",
    "IpAddress": "172.31.19.120"
}

08 You can mount your file system now from an EC2 instance with an NFSv4 client installed. You can also mount your file system from a on-premises server over an AWS Direct Connect connection. For EC2 mount and on-premises mount instructions use the links provided within the confirmation message: confirmation message.

09 Copy the data from the source EFS file system onto the new one.

10 As soon as the data migration process is completed and all the data is loaded into your new (encrypted) file system, you can remove the unencrypted file system from your AWS account by executing delete-file-system command (OSX/Linux/UNIX) and using the ID of the file system that you want to delete as identifier (the command does not produce an output):

aws efs delete-file-system
	--region us-east-1
	--file-system-id fs-9b187dd2

11 Repeat steps no. 1 - 9 to enable data-at-rest encryption for other Amazon EFS file system available within the current region.

12 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 10 for other regions.

References

Publication date 2017-22-09