Ensure EFS File System Encryption at Rest Rule
This rule ensures that EFS file system encryption at rest is enabled for data protection.
| Rule | EFS file system encryption at rest should be enabled |
| Framework | GxP EU Annex 11 |
| Severity | ✔ High |
Ensuring EFS File System Encryption at Rest for GxP EU Annex 11 Compliance
The Good Manufacturing Practice guidelines under EU Annex 11 require that electronic records must be protected to ensure their integrity, confidentiality, and availability. As such, EFS (Elastic File System) in the AWS environment must employ encryption at rest to be compliant with these guidelines.
What is EFS Encryption at Rest?
EFS encryption at rest automatically encrypts your data as it is written to the file system and decrypts it when it is read. The encryption and decryption are handled transparently and do not require any additional action from the user.
How to Enable EFS Encryption at Rest
Step 1: Create an Encrypted File System
To create a new encrypted EFS file system using the AWS Management Console, follow these steps:
- 1.Navigate to the EFS dashboard within AWS Management Console.
- 2.Click on “Create file system”.
- 3.Configure the file system settings according to your needs.
- 4.Under "File system settings", look for the "Encryption" option.
- 5.Check the "Enable encryption" box to ensure that encryption at rest is enabled.
- 6.Select a key to use for encryption, which can be the default AWS EFS key or a custom AWS KMS key.
- 7.Proceed with the creation of the file system by following the on-screen instructions.
Step 2: Verify Encryption
Once the file system is created, you can verify that encryption is enabled by:
- 1.Navigate to the EFS dashboard.
- 2.Select the file system you created.
- 3.In the "Details" section, there should be an "Encryption" field indicating that encryption is enabled.
Step 3: Enable Encryption for an Existing File System
For existing file systems that were created without encryption, AWS does not currently support enabling encryption directly. Instead, you will need to follow these steps to migrate your data to a new, encrypted file system:
- 1.Create a new encrypted EFS file system following the steps above.
- 2.Mount the new file system alongside the old one on an EC2 instance or on-premises server.
- 3.Copy the data from the old file system to the new encrypted file system using a tool like
orrsync
.aws efs-utils
# Here is a basic rsync command to copy data from the non-encrypted to the encrypted EFS. sudo rsync -avz /path/to/old/efs /path/to/new/encrypted/efs
- 1.After ensuring the data is copied successfully, update any references to the old file system to point to the new encrypted file system.
Step 4: Automate Encryption Auditing
To ensure continued compliance, set up regular auditing of your EFS to make sure encryption remains enabled. This can be done using AWS Config, which continually monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
# To create an AWS Config rule that checks whether your EFS is encrypted, you can use the following AWS CLI command: aws configservice put-config-rule --config-rule file://config-rule-for-efs-encryption.json
*The
config-rule-for-efs-encryption.jsonStep 5: Encrypted File System Backup
Backups for encrypted EFS should also be encrypted. Configure AWS Backup to manage and automate backups of your EFS file systems ensuring that encryption settings are also enforced on backups.
Remediating Non-Compliant EFS File Systems
Remediating non-compliant EFS file systems involves creating an encrypted version of the file system and migrating the data. The data transfer should be done securely, avoiding any unencrypted transfer mechanisms.
Troubleshooting Tips
- Ensure the IAM user has the necessary permissions for EFS creation and encryption key usage.
- Verify network connectivity between the EC2 instance and the EFS endpoints during data migration.
- Investigate any errors returned by AWS KMS during encryption to make sure KMS policies and key access are configured correctly.
- For issues with AWS Config, consult the AWS Config troubleshooting documentation for guidance on particular error messages or configuration issues.
By following these steps, you can adhere to GxP EU Annex 11 compliance for your AWS EFS and maintain the security and integrity of your electronic records. Remember to periodically review and update your compliance status as both organizational requirements and AWS features evolve.