AWS Elastic File System (EFS) with encryption for data at rest is disabled
Description
Amazon Elastic File System (Amazon EFS) is a simple, scalable file storage solution for AWS services and on-premises resources. Amazon EFS is built to elastically scale on-demand. It grows and shrinks automatically as files are added and removed. It is essential to encrypt your Amazon EFS to protect data and metadata against unauthorized access. Encrypting your Amazon EFS also fulfils compliance requirements for data-at-rest encryption when file systems are used in production systems.
Code Example
{
"aws efs create-file-system \\
--creation-token $(uuidgen) \\
--performance-mode generalPurpose \\
--encrypted \\
--kms-key-id user/customer-managedCMKalias",
}Remediation
- Amazon Console To change the policy using the AWS Console, follow these steps:*
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the https://console.aws.amazon.com/efs/ [Amazon Elastic File System console].
. To open the file system creation wizard, click * Create file system*.
. Select * Enable encryption*.
. To enable encryption using your own KMS CMK key, from the * KMS master key* list select the name of your * AWS Key*.
- CLI Command*
In the CreateFileSystem operation, the --encrypted parameter is a Boolean and is required for creating encrypted file systems. The --kms-key-id is required only when you use a customer-managed CMK and you include the key's alias or ARN.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0096 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_42 |