- Knowledge Base
- Amazon Web Services
- Amazon Elastic File System (EFS)
- AWS KMS Customer Master Keys for EFS Encryption
Ensure that your Amazon EFS file systems are using KMS Customer Master Keys (CMKs) instead of AWS managed-keys in order to have a more granular control over your file system data encryption/decryption process. When you use encryption at rest with Customer Master Keys, you can build security-sensitive applications that meet strict encryption compliance and regulatory requirements.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Security Unlike the AWS-managed key (the default master key used by Amazon EFS for file systems encryption), the customer-provided Customer Master Key (CMK) will allow you to view the key policy and audit the encryption and decryption process of your data (including the system metadata). When you define and use your own Amazon KMS Customer Master Keys (CMKs) to protect your data, you gain full control over who can use these keys to access the data available on your EFS file systems.
Audit
To determine the encryption status and configuration for your Amazon EFS file systems, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.
03 In the main navigation panel, under Elastic File System, choose File systems.
04 Click on the name/ID (link) of the EFS file system that you want to examine.
05 In the General section, check the Encrypted attribute value. If the Encrypted value is set to No, the selected Amazon EFS file system is not encrypted at rest. If the Encrypted value, representing the ID/alias of the master key used for encryption, contains aws/elasticfilesystem (the alias of the AWS-managed key used for EFS file systems), the data on the selected Amazon EFS file system is not encrypted at rest using a customer-managed Customer Master Key (CMK).
06 Repeat steps no. 4 and 5 for each Amazon EFS file system available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-file-systems command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EFS file system provisioned in the selected AWS region:
aws efs describe-file-systems --region us-east-1 --output table --query 'FileSystems[*].FileSystemId'
02 The command output should return a table with the requested file system ID(s):
-------------------------- | DescribeFileSystems | +------------------------+ | fs-0abcd1234abcd1234 | | fs-01234abcd1234abcd | +------------------------+
03 Run describe-file-systems command (OSX/Linux/UNIX) using the ID of the Amazon EFS file system that you want to examine as the identifier and custom query filters to describe the ARN of the KMS key used to encrypt the data on the selected file system:
aws efs describe-file-systems --region us-east-1 --file-system-id fs-0abcd1234abcd1234 --query 'FileSystems[*].KmsKeyId'
04 The command output should return the requested Amazon Resource Name (ARN) or null if the data on the selected file system is not encrypted at rest:
"arn:aws:kms:us-east-1:123456789012:key/12341234-abcd-1234-abcd-123412341234"
05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the master key returned at the previous step as the identifier parameter to describe manager of the specified KMS key:
aws kms describe-key --region us-east-1 --key-id arn:aws:kms:us-east-1:123456789012:key/12341234-abcd-1234-abcd-123412341234 --query 'KeyMetadata.KeyManager'
06 The command output should the master key manager ("AWS" if the master key is AWS-managed, and "CUSTOMER" if the key is customer-managed):
"AWS"
If the describe-key command output returns "AWS", as shown in the output example above, the data on the selected Amazon EFS file system is not encrypted at rest using a customer-managed Customer Master Key (CMK).
07 Repeat steps no. 3 – 6 for each Amazon EFS file system provisioned in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To reconfigure your existing Amazon EFS file systems to use your own KMS Customer Master Keys (CMKs) for encryption of data at rest, perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Enable Encryption at Rest using Customer Master Keys (CMKs)",
"Resources": {
"MountTargetVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.16.0.0/16"
}
},
"MountTargetSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "172.16.1.0/24",
"VpcId": {
"Ref": "MountTargetVPC"
},
"AvailabilityZone": "us-east-1a"
}
},
"EFSFileSystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"Encrypted": true,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
"PerformanceMode": "generalPurpose",
"ThroughputMode": "bursting",
"FileSystemPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:ClientMount"
],
"Principal": {"AWS": "arn:aws:iam::123456789012:role/EFSReadOnlyRole"}
}
]
}
}
},
"EFSMountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": {
"Ref": "EFSFileSystem"
},
"SubnetId": {
"Ref": "MountTargetSubnet"
},
"SecurityGroups": [
{
"Fn::GetAtt": [
"MountTargetVPC",
"DefaultSecurityGroup"
]
}
]
}
},
"EFSAccessPoint": {
"Type": "AWS::EFS::AccessPoint",
"Properties": {
"FileSystemId": {
"Ref": "EFSFileSystem"
},
"PosixUser": {
"Uid": "13234",
"Gid": "1322",
"SecondaryGids": [
"1344",
"1452"
]
},
"RootDirectory": {
"CreationInfo": {
"OwnerGid": "708798",
"OwnerUid": "7987987",
"Permissions": "0755"
},
"Path": "/web/production"
}
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Encryption at Rest using Customer Master Keys (CMKs)
Resources:
MountTargetVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 172.16.0.0/16
MountTargetSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 172.16.1.0/24
VpcId: !Ref 'MountTargetVPC'
AvailabilityZone: us-east-1a
EFSFileSystem:
Type: AWS::EFS::FileSystem
Properties:
Encrypted: true
KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
PerformanceMode: generalPurpose
ThroughputMode: bursting
FileSystemPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- elasticfilesystem:ClientMount
Principal:
AWS: arn:aws:iam::123456789012:role/EFSReadOnlyRole
EFSMountTarget:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref 'EFSFileSystem'
SubnetId: !Ref 'MountTargetSubnet'
SecurityGroups:
- !GetAtt 'MountTargetVPC.DefaultSecurityGroup'
EFSAccessPoint:
Type: AWS::EFS::AccessPoint
Properties:
FileSystemId: !Ref 'EFSFileSystem'
PosixUser:
Uid: '13234'
Gid: '1322'
SecondaryGids:
- '1344'
- '1452'
RootDirectory:
CreationInfo:
OwnerGid: '708798'
OwnerUid: '7987987'
Permissions: '0755'
Path: /web/production
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_efs_file_system" "efs-file-system" {
creation_token = "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
performance_mode = "generalPurpose"
throughput_mode = "bursting"
# Enable Encryption at Rest using Customer Master Keys (CMKs)
encrypted = "true"
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}
resource "aws_efs_file_system_policy" "file-system-policy" {
file_system_id = aws_efs_file_system.efs-file-system.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:ClientMount"
],
"Principal": {"AWS": "arn:aws:iam::123456789012:role/EFSReadOnlyRole"}
}
]
}
POLICY
}
resource "aws_efs_mount_target" "efs-mount-target" {
file_system_id = aws_efs_file_system.efs-file-system.id
subnet_id = "subnet-0abcd1234abcd1234"
security_groups = ["sg-01234abcd1234abcd"]
}
resource "aws_efs_access_point" "efs-access-point" {
file_system_id = aws_efs_file_system.efs-file-system.id
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.
03 In the main navigation panel, under Key Management Service (KMS), select Customer managed keys.
4 Choose the Create Key button from the console top menu to initiate the CMK setup process.
05 For Step 1 Configure key, perform the following operations:
- Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
- Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
- Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
- Choose Next to continue.
06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – optional box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.
07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.
08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.
09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".
10 Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.
11 In the main navigation panel, under Elastic File System, choose File systems.
12 Click on the name/ID (link) of the EFS file system that you want to re-create.
13 On the selected file system page, copy the configuration information available in the General section. The configuration information copied at this step is required during the new file system setup.
14 Navigate back to the File systems page and choose Create file system.
15 Inside the Create file system setup box, choose Customize, and perform the following operations:
- For Step 1 File system settings, perform the following:
- Enter a name for your new file system in the Name box.
- Configure the availability and durability of the file system.
- Select the Enable automatic backups checkbox to enable automatic backups (recommended).
- Configure the file system lifecycle management to automatically achieve the right price and performance blend for your application.
- Select the performance mode of the file system based on IOPS required for your application.
- Choose throughput mode for the file system, either Bursting or Provisioned.
- Select the Enable encryption of data at rest checkbox to enable encryption at rest for the new file system.
- Choose Customize encryption settings and select the ID of the KMS Customer Master Key (CMK) created earlier in the Remediation process from the KMS key dropdown list.
- (Optional) Use the Add tag button to create tags in order categorize and identify your file system.
- Choose Next to continue the setup process.
- For Step 2 Network access, choose the VPC where you want EC2 instances to connect to your new file system, and configure mount targets. A mount target provides an NFSv4 endpoint at which you can mount a file system. AWS recommends creating one mount target per Availability Zone (AZ). Choose Next to continue.
- (Optional) For Step 3 File system policy - optional, select one or more predefined policies based on your requirements, or create a custom policy using the policy editor (JSON). Choose Next to continue.
- For Step 4 Review and create, review the resource configuration details, then choose Create to create your new Amazon EFS file system.
16 Now you can mount your file system from an EC2 instance with an NFSv4 client installed. You can also mount your file system from your on-premise server over an AWS Direct Connect connection.
17 Copy the data from the source EFS file system (encrypted with the default key) to the new one (encrypted with customer-provided CMK).
18 As soon as the data migration process is complete and all your data is loaded into your new file system, you can remove the source file system from your AWS account in order to avoid further charges:
- Connect to your Amazon EC2 instance and unmount the source EFS file system.
- Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.
- In the main navigation panel, under Elastic File System, choose File systems.
- Select the EFS file system that you want to remove and choose Delete.
- In the Delete file system box, confirm the resource deletion by entering the file system's ID, then choose Confirm to delete the selected EFS file system.
19 Repeat steps no. 12 – 18 to enable encryption at rest using customer-provided Customer Master Keys for each EFS file system available within the current AWS region.
20 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.
Using AWS CLI
01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your EFS file system data using the KMS API. Create a new policy document (JSON format), name the file efs-data-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Id": "protected-cmk-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. efs-data-cmk-policy.json) as value for the --policy parameter, to create your new, customer-managed Customer Master Key (CMK):
aws kms create-key --region us-east-1 --description 'Customer Master Key for EFS File System Data Encryption' --policy file://efs-data-cmk-policy.json --query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new Customer Master Key (CMK):
"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):
aws kms create-alias --region us-east-1 --alias-name alias/FileSystemDataCMK --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
05 Run describe-file-systems command (OSX/Linux/UNIX) to describe the configuration information available for the selected (source) file system:
aws efs describe-file-systems --region us-east-1 --file-system-id fs-0abcd1234abcd1234 --query 'FileSystems[*]'
06 The command output should return the requested information. This configuration information will be useful later when the new EFS file system will be created:
[
{
"OwnerId": "123456789012",
"CreationToken": "abcd1234-abcd-1234-abcd-1234abcd1234",
"FileSystemId": "fs-0abcd1234abcd1234",
"FileSystemArn": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0abcd1234abcd1234",
"CreationTime": "2022-05-17T10:59:01+00:00",
"LifeCycleState": "available",
"NumberOfMountTargets": 0,
"SizeInBytes": {
"Value": 6144,
"Timestamp": "2022-05-19T11:59:32+00:00",
"ValueInIA": 0,
"ValueInStandard": 6144
},
"PerformanceMode": "generalPurpose",
"Encrypted": false,
"ThroughputMode": "bursting",
"Tags": [
{
"Key": "aws:elasticfilesystem:default-backup",
"Value": "enabled"
}
]
}
]
07 To provision a new file system, you have to generate a universally unique identifier (UUID) in order to create the token required by the create-file-system command, token needed by the Amazon EFS service to ensure idempotent creation (executing the command with same creation token has no effect). The idempotent operation allows you to retry a create-file-system command request without the risk of creating an extra file system. This can happen when an initial request fails in a way that leaves it uncertain whether or not the EFS file system was actually created. As long as you use the same creation token as parameter for the create-file-system command, if the initial request had succeeded in creating a file system, you can learn of its existence from the "FileSystemAlreadyExists" error returned as response. To create the required token, you can use a randomly generated UUID.
08 Run create-file-system command (OSX/Linux/UNIX) using the unique token created at the previous step to create a new Amazon EFS file system with the appropriate encryption configuration. The new file system will be configured with the Amazon KMS Customer Master Key (CMK) created at the previous steps:
aws efs create-file-system --region us-east-1 --creation-token abcdabcd-abcd-abcd-abcd-abcdabcdabcd --performance-mode generalPurpose --throughput-mode bursting --encrypted --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
09 The command output should return the configuration information available for the new file system:
{
"OwnerId": "123456789012",
"CreationToken": "abcd1234-abcd-1234-abcd-1234abcd1234",
"FileSystemId": "fs-0123412341234abcd",
"FileSystemArn": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0123412341234abcd",
"CreationTime": "2022-05-18T12:11:16+00:00",
"LifeCycleState": "creating",
"NumberOfMountTargets": 0,
"SizeInBytes": {
"Value": 0,
"ValueInIA": 0,
"ValueInStandard": 0
},
"PerformanceMode": "generalPurpose",
"Encrypted": true,
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
"ThroughputMode": "bursting",
"Tags": []
}
10 Run create-mount-target command (OSX/Linux/UNIX) using the ID of the new Amazon EFS file system, returned at the previous step, as the identifier parameter, and the ID of the Availability Zone (AZ) that will represent the mount target (change the --subnet-id value accordingly and execute this command for each AZ that you want to use as mount target):
aws efs create-mount-target --region us-east-1 --file-system-id fs-0123412341234abcd --subnet-id subnet-abcd1234
11 The command output should return the information available for the new mount target:
{
"MountTargetId": "fsmt-abcdabcd",
"NetworkInterfaceId": "eni-abcd1234",
"FileSystemId": "fs-0123412341234abcd",
"LifeCycleState": "creating",
"SubnetId": "subnet-abcd1234",
"OwnerId": "123456789012",
"IpAddress": "172.31.10.120"
}
12 Now you can mount your file system from an EC2 instance with an NFSv4 client installed. You can also mount your file system from your on-premise server over an AWS Direct Connect connection.
13 Copy the data from the source EFS file system (encrypted with the default key) to the new file system (encrypted with customer-provided CMK).
14 As soon as the data migration process is complete and all your data is loaded into your new file system, you can safely remove the unencrypted file system from your AWS cloud account. Run delete-file-system command (OSX/Linux/UNIX) using the ID of the file system that you want to delete as the identifier parameter to terminate the specified file system (the command does not produce an output):
aws efs delete-file-system --region us-east-1 --file-system-id fs-0abcd1234abcd1234
15 Repeat steps no. 5 – 14 to enable encryption at rest using customer-provided Customer Master Keys for each Amazon EFS file system available in the selected AWS region.
16 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.
References
- AWS Documentation
- Amazon EFS FAQs
- Amazon EFS features
- Data encryption in Amazon EFS
- Working with Amazon EFS resources
- Managing Amazon EFS file systems
- Step 1: Create your Amazon EFS file system
- What is Amazon Elastic File System?
- Online UUID Generator
- AWS Command Line Interface (CLI) Documentation
- efs
- describe-file-systems
- create-file-system
- create-mount-target
- delete-file-system
- kms
- describe-key
- create-key
- create-alias
- CloudFormation Documentation
- Amazon Elastic File System resource type reference
- Terraform Documentation
- AWS Provider
Related EFS rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
AWS KMS Customer Master Keys for EFS Encryption
Risk Level: High