406 – Non-encrypted confidential information - EFS

Description

The AWS Elastic File System (EFS) service is encrypted with a default KMS key. Best practices recommend encrypting EFS instances using Customer Managed Keys (CMKs) to reduce risk of exposure and give full control of encrypted information.

Impact

Obtain confidential information from file system

Recommendation

Enable the EFS encryption using a KMS Customer Managed Key (CMK)

Threat

Anonymous attacker with local access to one or more EFS instances

Expected Remediation Time

20 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 185 - Encrypt sensitive information
• 300 - Mask sensitive data

Fixes

• Aws
• Cloudformation

Last updated

2024/02/20