Non-encrypted confidential information - EFS
Need
Secure encryption of confidential information in AWS Elastic File System (EFS) using Customer Managed Keys (CMKs)
Context
• Usage of CloudFormation for Infrastructure as Code (IaC)
• Usage of AWS resources such as EFS and KMS
Description
1. Non compliant code
Resources:
MyEFSFileSystem:
Type: AWS::EFS::FileSystem
Properties:
PerformanceMode: generalPurpose
Encrypted: falseThe above CloudFormation template creates an EFS file system without specifying any encryption configuration. By default, AWS EFS encrypts data at rest using a default AWS-managed KMS key. While this provides some level of protection, it does not give the customer full control over key management. If the default key is ever compromised, data confidentiality could be at risk. To follow best practices and meet compliance requirements, it is recommended to use a Customer Managed Key (CMK) so that you control the lifecycle and access policies of the encryption key.
2. Steps
• Create a Customer Managed Key (CMK) using AWS::KMS::Key
• Create an AWS::EFS::FileSystem resource with encryption enabled
• Reference the CMK in the KmsKeyId property of the EFS resource
3. Secure code example
Resources:
EFSEncryptionKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key for EFS encryption
Enabled: true
KeyPolicy:
Statement:...The above CloudFormation template first creates a Customer Managed Key (CMK) using the AWS::KMS::Key resource. The key includes a 7-day deletion window, allowing recovery in case of accidental deletion. The EFS file system is then created with encryption enabled, using the CMK ARN specified via the KmsKeyId property. This ensures that data is encrypted with a customer-controlled key, improving control and security over confidential data.