Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EFS Encryption Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EFS-001

Ensure that the data available on your Amazon EFS file systems is encrypted at rest in order to meet security and compliance requirements. Your data is transparently encrypted while being written and transparently decrypted while being read from your file system, therefore the encryption process does not require any additional action from you or your application. Encryption keys are managed by Amazon KMS, eliminating the need to build and maintain a secure key management infrastructure.

This rule can help you with the following compliance standards:

  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Organizational policies, industry or government regulations, and internal compliance requirements often require the use of encryption at rest. Trend Cloud One™ – Conformity strongly recommends to encrypt your EFS file systems in order to protect your data and metadata from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.


Audit

To determine the encryption status of your Amazon EFS file systems, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.

03 In the main navigation panel, under Elastic File System, choose File systems.

04 Click on the name/ID (link) of the EFS file system that you want to examine.

05 In the General section, check the Encrypted attribute value. If the Encrypted value is set to No, the data on the selected Amazon EFS file system is not encrypted at rest, therefore your file system data is not fully protected from unauthorized access.

06 Repeat steps no. 4 and 5 for each Amazon EFS file system available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-file-systems command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EFS file system provisioned in the selected AWS region:

aws efs describe-file-systems
  --region us-east-1
  --output table
  --query 'FileSystems[*].FileSystemId'

02 The command output should return a table with the requested file system ID(s):

--------------------------
|   DescribeFileSystems  |
+------------------------+
|  fs-0abcd1234abcd1234  |
|  fs-01234abcd1234abcd  |
+------------------------+

03 Run describe-file-systems command (OSX/Linux/UNIX) using the ID of the Amazon EFS file system that you want to examine as the identifier and custom query filters to describe the encryption status for the selected file system:

aws efs describe-file-systems
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --query 'FileSystems[*].Encrypted'

04 The command output should return the file system encryption status (true for encrypted and false for unencrypted):

[
    false
]

If the describe-file-systems command output returns false, as shown in the example above, the data on the selected Amazon EFS file system is not encrypted at rest, therefore your file system data is not completely protected from unauthorized access.

05 Repeat steps no. 3 and 4 for each Amazon EFS file system available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To encrypt an existing Amazon EFS file system you must copy the data from the existing file system to the new one, that has the encryption feature enabled. To set up a new EFS file system, enable encryption at rest, and copy your existing data to it, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Enable Encryption at Rest",
    "Resources": {
        "MountTargetVPC": {
            "Type": "AWS::EC2::VPC",
            "Properties": {
                "CidrBlock": "172.16.0.0/16"
            }
        },
        "MountTargetSubnet": {
            "Type": "AWS::EC2::Subnet",
            "Properties": {
                "CidrBlock": "172.16.1.0/24",
                "VpcId": {
                    "Ref": "MountTargetVPC"
                },
                "AvailabilityZone": "us-east-1a"
            }
        },
        "EFSFileSystem": {
            "Type": "AWS::EFS::FileSystem",
            "Properties": {
                "Encrypted": true,
                "PerformanceMode": "generalPurpose",
                "ThroughputMode": "bursting",
                "FileSystemPolicy": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": [
                                "elasticfilesystem:ClientMount"
                            ],
                            "Principal":  {"AWS": "arn:aws:iam::123456789012:role/EFSReadOnlyRole"}
                        }
                    ]
                }
            }
        },
        "EFSMountTarget": {
            "Type": "AWS::EFS::MountTarget",
            "Properties": {
                "FileSystemId": {
                    "Ref": "EFSFileSystem"
                },
                "SubnetId": {
                    "Ref": "MountTargetSubnet"
                },
                "SecurityGroups": [
                    {
                        "Fn::GetAtt": [
                            "MountTargetVPC",
                            "DefaultSecurityGroup"
                        ]
                    }
                ]
            }
        },
        "EFSAccessPoint": {
            "Type": "AWS::EFS::AccessPoint",
            "Properties": {
                "FileSystemId": {
                    "Ref": "EFSFileSystem"
                },
                "PosixUser": {
                    "Uid": "13234",
                    "Gid": "1322",
                    "SecondaryGids": [
                        "1344",
                        "1452"
                    ]
                },
                "RootDirectory": {
                    "CreationInfo": {
                        "OwnerGid": "708798",
                        "OwnerUid": "7987987",
                        "Permissions": "0755"
                    },
                    "Path": "/web/production"
                }
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Encryption at Rest
Resources:
  MountTargetVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 172.16.0.0/16
  MountTargetSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: 172.16.1.0/24
      VpcId: !Ref 'MountTargetVPC'
      AvailabilityZone: us-east-1a
  EFSFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      Encrypted: true
      PerformanceMode: generalPurpose
      ThroughputMode: bursting
      FileSystemPolicy:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - elasticfilesystem:ClientMount
            Principal:
              AWS: arn:aws:iam::123456789012:role/EFSReadOnlyRole
  EFSMountTarget:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref 'EFSFileSystem'
      SubnetId: !Ref 'MountTargetSubnet'
      SecurityGroups:
        - !GetAtt 'MountTargetVPC.DefaultSecurityGroup'
  EFSAccessPoint:
    Type: AWS::EFS::AccessPoint
    Properties:
      FileSystemId: !Ref 'EFSFileSystem'
      PosixUser:
        Uid: '13234'
        Gid: '1322'
        SecondaryGids:
          - '1344'
          - '1452'
      RootDirectory:
        CreationInfo:
          OwnerGid: '708798'
          OwnerUid: '7987987'
          Permissions: '0755'
        Path: /web/production

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_efs_file_system" "efs-file-system" {

   creation_token = "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
   performance_mode = "generalPurpose"
   throughput_mode = "bursting"

   # Enable Encryption at Rest
   encrypted = "true"

}

resource "aws_efs_file_system_policy" "file-system-policy" {

  file_system_id = aws_efs_file_system.efs-file-system.id
  policy = <<POLICY
{
    "Version": "2012-10-17",
       "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "elasticfilesystem:ClientMount"
                ],
                "Principal": {"AWS": "arn:aws:iam::123456789012:role/EFSReadOnlyRole"}
            }
        ]
}
POLICY

}

resource "aws_efs_mount_target" "efs-mount-target" {
  file_system_id  = aws_efs_file_system.efs-file-system.id
  subnet_id       = "subnet-0abcd1234abcd1234"
  security_groups = ["sg-01234abcd1234abcd"]
}

resource "aws_efs_access_point" "efs-access-point" {
  file_system_id = aws_efs_file_system.efs-file-system.id
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.

03 In the main navigation panel, under Elastic File System, choose File systems.

4 Click on the name/ID (link) of the EFS file system that you want to re-create.

05 On the selected file system page, copy the configuration information available in the General section. The configuration information copied at this step is required during the new file system setup.

06 Navigate back to the File systems page and choose Create file system.

07 Inside the Create file system setup box, choose Customize, and perform the following operations:

  1. For Step 1 File system settings, perform the following:
    • Enter a name for your new file system in the Name box.
    • Configure the availability and durability of the file system.
    • Select the Enable automatic backups checkbox to enable automatic backups (recommended).
    • Configure the file system lifecycle management to automatically achieve the right price and performance blend for your application.
    • Select the performance mode of the file system based on IOPS required for your application.
    • Choose throughput mode for the file system, either Bursting or Provisioned.
    • Select the Enable encryption of data at rest checkbox to enable encryption at rest for the new file system. Amazon EFS uses the AWS-managed key (i.e. aws/elasticfilesystem) by default. To achieve better control over who can use the key and access the encrypted data, you can create and manage your own Customer Master Key (CMK) by following the instructions outlined in this conformity rule.
    • (Optional) Use the Add tag button to create tags in order categorize and identify your file system.
    • Choose Next to continue the setup process.
  2. For Step 2 Network access, choose the VPC where you want EC2 instances to connect to your new file system, and configure mount targets. A mount target provides an NFSv4 endpoint at which you can mount a file system. AWS recommends creating one mount target per Availability Zone (AZ). Choose Next to continue.
  3. (Optional) For Step 3 File system policy - optional, select one or more predefined policies based on your requirements, or create a custom policy using the policy editor (JSON). Choose Next to continue.
  4. For Step 4 Review and create, review the resource configuration details, then choose Create to create your new, encrypted Amazon EFS file system.

08 Now you can mount your file system from an EC2 instance with an NFSv4 client installed. You can also mount your file system from your on-premise server over an AWS Direct Connect connection.

09 Copy the data from the source (unencrypted) EFS file system to the new one.

10 As soon as the data migration process is complete and all your data is loaded into your new (encrypted) file system, you can remove the unencrypted file system from your AWS account in order to avoid further charges:

  1. Connect to your Amazon EC2 instance and unmount the unencrypted EFS file system.
  2. Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.
  3. In the main navigation panel, under Elastic File System, choose File systems.
  4. Select the EFS file system that you want to remove and choose Delete.
  5. In the Delete file system box, confirm the resource deletion by entering the file system's ID, then choose Confirm to delete the selected EFS file system.

11 Repeat steps no. 4 – 10 to enable encryption at rest for each Amazon EFS file system available within the current AWS region.

12 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run describe-file-systems command (OSX/Linux/UNIX) to describe the configuration information available for the selected (unencrypted) file system:

aws efs describe-file-systems
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --query 'FileSystems[*]'

02 The command output should return the requested information. This configuration information will be useful later when the new EFS file system will be created:

[
    {
        "OwnerId": "123456789012",
        "CreationToken": "abcd1234-abcd-1234-abcd-1234abcd1234",
        "FileSystemId": "fs-0abcd1234abcd1234",
        "FileSystemArn": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0abcd1234abcd1234",
        "CreationTime": "2022-05-17T10:59:01+00:00",
        "LifeCycleState": "available",
        "NumberOfMountTargets": 0,
        "SizeInBytes": {
            "Value": 6144,
            "Timestamp": "2022-05-19T11:59:32+00:00",
            "ValueInIA": 0,
            "ValueInStandard": 6144
        },
        "PerformanceMode": "generalPurpose",
        "Encrypted": false,
        "ThroughputMode": "bursting",
        "Tags": [
            {
                "Key": "aws:elasticfilesystem:default-backup",
                "Value": "enabled"
            }
        ]
    }
]

03 To provision a new file system, you need to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command, token needed by the Amazon EFS service to ensure idempotent creation (executing the command with same creation token has no effect). The idempotent operation allows you to retry a create-file-system command request without the risk of creating an extra file system. This can happen when an initial request fails in a way that leaves it uncertain whether or not the EFS file system was actually created. As long as you use the same creation token as parameter for the create-file-system command, if the initial request had succeeded in creating a file system, you can learn of its existence from the "FileSystemAlreadyExists" error returned as response. To create the required token, you can use a randomly generated UUID.

04 Run create-file-system command (OSX/Linux/UNIX) using the unique token created at the previous step to create a new Amazon EFS file system with the encryption feature enabled. The new file system will be configured with the default master key used for encryption at rest by Amazon EFS service (i.e. aws/elasticfilesystem):

aws efs create-file-system
  --region us-east-1
  --creation-token abcdabcd-abcd-abcd-abcd-abcdabcdabcd
  --performance-mode generalPurpose
  --throughput-mode bursting
  --encrypted

05 The command output should return the configuration information available for the new file system:

{
    "OwnerId": "123456789012",
    "CreationToken": "abcd1234-abcd-1234-abcd-1234abcd1234",
    "FileSystemId": "fs-0123412341234abcd",
    "FileSystemArn": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0123412341234abcd",
    "CreationTime": "2022-05-18T12:11:16+00:00",
    "LifeCycleState": "creating",
    "NumberOfMountTargets": 0,
    "SizeInBytes": {
        "Value": 0,
        "ValueInIA": 0,
        "ValueInStandard": 0
    },
    "PerformanceMode": "generalPurpose",
    "Encrypted": true,
    "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
    "ThroughputMode": "bursting",
    "Tags": []
}

06 Run create-mount-target command (OSX/Linux/UNIX) using the ID of the new Amazon EFS file system, returned at the previous step, as the identifier parameter, and the ID of the Availability Zone (AZ) that will represent the mount target (change the --subnet-id value accordingly and execute this command for each AZ that you want to use as mount target):

aws efs create-mount-target
  --region us-east-1
  --file-system-id fs-0123412341234abcd
  --subnet-id subnet-abcd1234

07 The command output should return the information available for the new mount target:

{
  "MountTargetId": "fsmt-abcdabcd",
  "NetworkInterfaceId": "eni-abcd1234",
  "FileSystemId": "fs-0123412341234abcd",
  "LifeCycleState": "creating",
  "SubnetId": "subnet-abcd1234",
  "OwnerId": "123456789012",
  "IpAddress": "172.31.10.120"
}

08 Now you can mount your file system from an EC2 instance with an NFSv4 client installed. You can also mount your file system from your on-premise server over an AWS Direct Connect connection.

09 Copy the data from the source (unencrypted) EFS file system to the new one.

10 As soon as the data migration process is complete and all your data is loaded into your new (encrypted) file system, you can safely remove the unencrypted file system from your AWS cloud account. Run delete-file-system command (OSX/Linux/UNIX) using the ID of the file system that you want to delete as the identifier parameter to terminate the unencrypted file system (the command does not produce an output):

aws efs delete-file-system
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234

11 Repeat steps no. 1 – 10 to enable encryption at rest for each Amazon EFS file system available in the selected AWS region.

12 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Oct 9, 2018