Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Enable EFS File System Encryption at Rest Rule

This rule requires enabling encryption for EFS file system data at rest.

RuleEFS file system encryption at rest should be enabled
FrameworkNIST 800-53 Revision 5
Severity
High

EFS File System Encryption at Rest Rule Description

This rule requires enabling encryption at rest for the Elastic File System (EFS) in accordance with the security controls defined in NIST 800-53 Revision 5. Encryption at rest ensures that data stored in the EFS file system remains secure even if unauthorized access occurs.

Troubleshooting Steps

If encryption at rest is not enabled for the EFS file system, follow these troubleshooting steps:

  1. 1.
    Verify if the EFS file system is currently encrypted or not.
  2. 2.
    Check if the necessary AWS Key Management Service (KMS) key is properly configured and associated with the EFS file system.
  3. 3.
    Ensure that the file system's IAM policies permit the necessary actions and permissions related to encryption.
  4. 4.
    Confirm if the EFS file system is compliant with the encryption requirements specified in NIST 800-53 Revision 5.

Code

No specific code is required for this rule. However, you may need to perform some AWS CLI commands for remediation and validation purposes.

Remediation Steps

Follow these steps to enable encryption at rest for the EFS file system:

  1. 1.
    Identify the EFS file system for which you want to enable encryption.
  2. 2.
    Ensure that you have the necessary permissions to configure encryption settings for the EFS file system.
  3. 3.
    Open the AWS Management Console or use the AWS CLI to perform the following steps:

AWS Management Console:

  1. 1.
    Go to the Amazon EFS console.
  2. 2.
    Select the desired EFS file system.
  3. 3.
    Click on the "Enable Encryption" button.
  4. 4.
    Choose the AWS Key Management Service (KMS) key to use for encryption. If you haven't created a KMS key yet, follow the appropriate guide to create one.
  5. 5.
    Click on "Enable encryption" to enable encryption at rest for the EFS file system.

AWS CLI:

  1. 1.
    Open a terminal or command prompt.
  2. 2.
    Run the following AWS CLI command:
aws efs update-file-system --file-system-id <filesystem-id> --encrypted

Replace

<filesystem-id>
with the ID of the EFS file system you want to enable encryption for.

Validation Steps

To validate whether encryption at rest is enabled for the EFS file system, follow these steps:

AWS Management Console:

  1. 1.
    Go to the Amazon EFS console.
  2. 2.
    Select the desired EFS file system.
  3. 3.
    Check the "Encryption at Rest" section to ensure that it shows "Enabled" status.

AWS CLI:

  1. 1.
    Open a terminal or command prompt.
  2. 2.
    Run the following AWS CLI command:
aws efs describe-file-systems --file-system-id <filesystem-id> --query "FileSystems[].Encrypted"

Replace

<filesystem-id>
with the ID of the EFS file system you want to validate.

If encryption is enabled, the command will return "

true
". Otherwise, it will return "
false
".

Conclusion

Enabling encryption at rest for the EFS file system ensures compliance with NIST 800-53 Revision 5 control requirements. By following the provided remediation steps, encryption can be successfully enabled, securing data stored in the EFS file system.

Is your System Free of Underlying Vulnerabilities?
Find Out Now