EFS Encryption at Rest Enabled

Overview

This check verifies that your Amazon EFS (Elastic File System) file systems have encryption at rest enabled using AWS KMS. When enabled, all data and metadata stored in the file system is automatically encrypted.

Risk

Without encryption at rest, EFS contents are vulnerable to unauthorized access:

• Data exposure: Unencrypted file systems can be read directly if an attacker gains access to the underlying storage or backups
• Compliance violations: Many security frameworks (CIS, PCI-DSS, HIPAA) require encryption of data at rest
• Data exfiltration: A compromised host with EFS mount access could allow covert data harvesting
• Integrity risks: Without encryption, unauthorized modifications to stored files may go undetected

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to create and manage EFS file systems
• Understanding that existing unencrypted file systems cannot be encrypted - you must create a new encrypted file system and migrate your data

Required IAM permissions (for administrators)

Your IAM user or role needs these permissions:

• elasticfilesystem:CreateFileSystem
• elasticfilesystem:DescribeFileSystems
• elasticfilesystem:DeleteFileSystem
• kms:DescribeKey (if using a custom KMS key)
• kms:CreateGrant (if using a custom KMS key)

AWS Console Method

Important: EFS encryption must be enabled when the file system is created. You cannot enable encryption on an existing unencrypted file system. You will need to create a new encrypted file system and migrate your data.

1. Open the EFS Console

   • Go to EFS Console in us-east-1

2. Create a new encrypted file system

   • Click Create file system
   • Click Customize to see all options (don't use the quick create)

3. Configure encryption

   • In Step 1 (File system settings), find the Encryption section
   • Ensure Enable encryption of data at rest is checked (it should be on by default)
   • Choose your encryption key:
     • aws/elasticfilesystem (AWS-managed key) - simplest option
     • Custom KMS key - better for access control and audit logging
   • Complete the remaining configuration steps and click Create

4. Migrate data from unencrypted file system

   • Mount both the old (unencrypted) and new (encrypted) file systems
   • Copy data using rsync, AWS DataSync, or your preferred method
   • Update applications to use the new file system
   • Delete the old unencrypted file system once migration is verified

AWS CLI (optional)

Create an encrypted file system

aws efs create-file-system \
    --performance-mode generalPurpose \
    --throughput-mode bursting \
    --encrypted \
    --tags Key=Name,Value=my-encrypted-efs \
    --region us-east-1

Expected output:

{
    "OwnerId": "123456789012",
    "FileSystemId": "fs-1234567890abcdef0",
    "FileSystemArn": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-1234567890abcdef0",
    "LifeCycleState": "creating",
    "Name": "my-encrypted-efs",
    "Encrypted": true,
    "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-example11111",
    "ThroughputMode": "bursting",
    "PerformanceMode": "generalPurpose"
}

Create encrypted file system with custom KMS key

aws efs create-file-system \
    --performance-mode generalPurpose \
    --throughput-mode bursting \
    --encrypted \
    --kms-key-id alias/my-efs-key \
    --tags Key=Name,Value=my-encrypted-efs \
    --region us-east-1

Replace alias/my-efs-key with your KMS key alias, key ID, or ARN.

Note: EFS only supports symmetric KMS keys. Asymmetric keys are not supported.

List unencrypted file systems

To find file systems that need remediation:

aws efs describe-file-systems \
    --query 'FileSystems[?Encrypted==`false`].[FileSystemId,Name]' \
    --output table \
    --region us-east-1

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: Encrypted EFS File System

Parameters:
  FileSystemName:
    Type: String
    Default: encrypted-efs
    Description: Name tag for the EFS file system

  PerformanceMode:
    Type: String
    Default: generalPurpose
    AllowedValues:
      - generalPurpose
      - maxIO
    Description: EFS performance mode

  ThroughputMode:
    Type: String
    Default: bursting
    AllowedValues:
      - bursting
      - provisioned
      - elastic
    Description: EFS throughput mode

Resources:
  EFSFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      Encrypted: true
      # Uncomment to use a custom KMS key:
      # KmsKeyId: !GetAtt EFSKmsKey.Arn
      PerformanceMode: !Ref PerformanceMode
      ThroughputMode: !Ref ThroughputMode
      FileSystemTags:
        - Key: Name
          Value: !Ref FileSystemName

  # Optional: Customer-managed KMS key for better access control
  # EFSKmsKey:
  #   Type: AWS::KMS::Key
  #   Properties:
  #     Description: KMS key for EFS encryption
  #     EnableKeyRotation: true
  #     KeyPolicy:
  #       Version: '2012-10-17'
  #       Statement:
  #         - Sid: Enable IAM User Permissions
  #           Effect: Allow
  #           Principal:
  #             AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
  #           Action: 'kms:*'
  #           Resource: '*'

Outputs:
  FileSystemId:
    Description: EFS File System ID
    Value: !Ref EFSFileSystem
    Export:
      Name: !Sub '${AWS::StackName}-FileSystemId'

  FileSystemArn:
    Description: EFS File System ARN
    Value: !GetAtt EFSFileSystem.Arn
    Export:
      Name: !Sub '${AWS::StackName}-FileSystemArn'

Deploy with:

aws cloudformation create-stack \
    --stack-name encrypted-efs \
    --template-body file://efs-encrypted.yaml \
    --region us-east-1

Terraform (optional)

# Encrypted EFS File System
resource "aws_efs_file_system" "encrypted" {
  encrypted        = true
  performance_mode = "generalPurpose"
  throughput_mode  = "bursting"

  # Uncomment to use a custom KMS key:
  # kms_key_id = aws_kms_key.efs.arn

  tags = {
    Name = "encrypted-efs"
  }
}

# Optional: Customer-managed KMS key for better access control
resource "aws_kms_key" "efs" {
  description             = "KMS key for EFS encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        }
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow EFS to use the key"
        Effect = "Allow"
        Principal = {
          Service = "elasticfilesystem.amazonaws.com"
        }
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:DescribeKey",
          "kms:CreateGrant"
        ]
        Resource = "*"
      }
    ]
  })
}

resource "aws_kms_alias" "efs" {
  name          = "alias/efs-encryption"
  target_key_id = aws_kms_key.efs.key_id
}

data "aws_caller_identity" "current" {}

output "file_system_id" {
  description = "EFS File System ID"
  value       = aws_efs_file_system.encrypted.id
}

output "file_system_arn" {
  description = "EFS File System ARN"
  value       = aws_efs_file_system.encrypted.arn
}

Deploy with:

terraform init
terraform plan
terraform apply

Verification

After creating an encrypted file system, verify the configuration:

1. In the AWS Console:

   • Go to EFS Console and select your file system
   • On the General tab, check that Encryption shows Enabled
   • Verify the KMS key is set to your preferred key

2. Create a test file:

   • Mount the file system and create a test file
   • Verify normal read/write operations work correctly

CLI verification commands

Check encryption status of a specific file system:

aws efs describe-file-systems \
    --file-system-id fs-1234567890abcdef0 \
    --query 'FileSystems[0].[FileSystemId,Encrypted,KmsKeyId]' \
    --output table \
    --region us-east-1

List all file systems with encryption status:

aws efs describe-file-systems \
    --query 'FileSystems[].[FileSystemId,Name,Encrypted]' \
    --output table \
    --region us-east-1

Find any remaining unencrypted file systems:

aws efs describe-file-systems \
    --query 'FileSystems[?Encrypted==`false`].FileSystemId' \
    --output text \
    --region us-east-1

If the output is empty, all your EFS file systems are encrypted.

Additional Resources

• AWS Documentation: Encrypting Data at Rest
• AWS Documentation: Amazon EFS and AWS KMS
• AWS Knowledge Center: Enable EFS Encryption
• AWS DataSync for Migration

Notes

• Cannot encrypt existing file systems: Unlike some AWS services, EFS does not support enabling encryption on existing file systems. You must create a new encrypted file system and migrate your data.
• Encryption enabled at creation only: The encryption setting is permanent. You cannot change it after the file system is created.
• KMS key selection: Using a customer-managed KMS key (instead of the AWS-managed aws/elasticfilesystem key) gives you more control over key access policies and enables CloudTrail logging of key usage.
• Performance impact: EFS encryption has minimal performance impact because encryption is handled by the EFS infrastructure, not your instances.
• Symmetric keys only: EFS only supports symmetric KMS keys. Asymmetric KMS keys are not supported for EFS encryption.
• Cost: EFS encryption itself is free. Customer-managed KMS keys incur charges ($1/month per key plus API usage).
• Cross-account access: If you use a customer-managed KMS key and need to share the file system across accounts, you must grant the other account access to the KMS key.