Enforce Encryption for New Amazon EFS Resources using IAM Policies

Risk Level: Medium (should be achieved)

Ensure that your new Amazon EFS file systems are always encrypted in order to meet security and compliance requirements. To enforce encryption of data at rest for your new EFS resources you can use Amazon IAM identity-based policies to implement a special condition key named "elasticfilesystem:Encrypted" that in combination with the "elasticfilesystem:CreateFileSystem" action prevents IAM users from creating EFS resources that aren't encrypted.

Security

A security best practice is to encrypt Amazon EFS file system resources in order to protect your data and metadata from unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. With "elasticfilesystem:Encrypted" IAM policy condition key, you can force IAM users to create only encrypted EFS file systems within your AWS cloud account. This feature complements enforcing encryption of data in transit using file system policies, IAM Authorization for NFS clients, and EFS Access Points as efficient tools to manage access to your Amazon EFS resources at scale.

Audit

To determine if your IAM users are forced to create only encrypted Amazon EFS file systems, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.
In the navigation panel, under Access management, choose Users.
Click on the name of the Amazon IAM user that you want to examine.
Select the Permissions tab to access the identity-based policies attached to the selected user.
In the Permissions policies section, click on the Expand button (right arrow icon) available next to each managed/inline policy, and choose {} JSON to show the policy document in JSON format.
Within the {} JSON policy document box, search for the policy statement with the following combination of elements: "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", and "Condition": {"Bool": {"elasticfilesystem:Encrypted": "true"}}. Repeat this step for each managed or inline policy attached to the selected IAM user. If none of the verified policies have the specified combination of elements, which makes use of "elasticfilesystem:Encrypted" condition key, the selected Amazon IAM user is not forced to create only encrypted Amazon EFS file system resources within your AWS cloud account.
Repeat steps no. 4 – 7 for each IAM user available within your AWS cloud account.

Using AWS CLI

Run list-users command (OSX/Linux/UNIX) with custom query filters to list the names of all IAM users available within your AWS account:
```
aws iam list-users
  --output table
  --query 'Users[*].UserName'
```

The command output should return a table with the requested IAM user identifiers:

----------------------
|     ListUsers      |
+--------------------+
|  cc-stack-manager  |
|  cc-efs-developer  |
+--------------------+

Run list-attached-user-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom filtering to list the Amazon Resource Names (ARNs) of the managed IAM policies attached to the selected user:
```
aws iam list-attached-user-policies
  --user-name cc-stack-manager
  --query 'AttachedPolicies[*].PolicyArn'
```

The command output should return the ARNs of the managed policies attached to the selected IAM user:

[
	"arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess",
	"arn:aws:iam::123456789012:policy/cc-stack-access"
]

Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that you want to examine as the identifier parameter and custom query filters to describe the policy document in JSON format. Repeat this step for each managed IAM policy attached to the selected IAM user:
```
aws iam get-policy-version
  --policy-arn arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess
  --version-id v1
  --query 'PolicyVersion.Document'
```

The command output should return the requested IAM policy document:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"ec2:CreateNetworkInterface",
				"ec2:DeleteNetworkInterface",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeNetworkInterfaceAttribute",
				"ec2:DescribeNetworkInterfaces",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSubnets",
				"ec2:DescribeVpcs",
				"ec2:ModifyNetworkInterfaceAttribute",
				"elasticfilesystem:*"
			],
			"Resource": "*",
			"Effect": "Allow"
		}
	]
}

Run list-user-policies command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter and custom filtering to list the names of the inline policies embedded within the selected IAM user:
```
aws iam list-user-policies
  --user-name cc-stack-manager
  --query 'PolicyNames'
```
The command output should return the names of the inline policies embedded within the user:
```
[
	"cc-inline-stack-policy",
	"cc-custom-file-access"
]
```
Run get-user-policy command (OSX/Linux/UNIX) using the name of the inline policy that you want to examine as the identifier parameter, returned at the previous step, to describe the IAM policy document in JSON format. Repeat this step for each inline policy attached to the selected IAM user:
```
aws iam get-user-policy
  --user-name cc-stack-manager
  --policy-name cc-inline-stack-policy
  --query 'PolicyDocument'
```

The command output should return the requested IAM policy document:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeVpcs",
				"ec2:DescribeVpcAttribute"
			],
			"Resource": "*",
			"Effect": "Allow",
			"Sid": "AddtionalEC2PermissionsForConsole"
		},
		{
			"Action": [
				"kms:ListAliases",
				"kms:DescribeKey"
			],
			"Resource": "*",
			"Effect": "Allow",
			"Sid": "AdditionalKMSPermissionsForConsole"
		}
	]
}

Search for the following combination of elements: "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", and "Condition": {"Bool": {"elasticfilesystem:Encrypted": "true"}} within the policy documents returned by the get-policy-version command output at step no. 6 and get-user-policy command output at step no. 10. If the verified policies do not contain the specified combination of elements, which makes use of "elasticfilesystem:Encrypted" condition key, the selected Amazon IAM user is not forced to follow security best practices and create only encrypted Amazon EFS file system resources within your AWS cloud account.
Repeat steps no. 3 – 11 for each Amazon IAM user available in your AWS cloud account.

Remediation / Resolution

To enforce encryption at rest for new Amazon EFS file system resources using IAM identity-based policies, perform the following actions:

Note: As an example, this rule demonstrates how to enforce encryption of data at rest for new Amazon EFS file systems using customer-managed IAM policies.

Using AWS CloudFormation

CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enforce Encryption using Policies",
	"Resources": {
		"MountTargetVPC": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "172.16.0.0/16"
			}
		},
		"MountTargetSubnet": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"CidrBlock": "172.16.1.0/24",
				"VpcId": {
					"Ref": "MountTargetVPC"
				},
				"AvailabilityZone": "us-east-1a"
			}
		},
		"EFSFileSystem": {
			"Type": "AWS::EFS::FileSystem",
			"Properties": {
				"PerformanceMode": "generalPurpose",
				"ThroughputMode": "bursting",
				"FileSystemPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "EnforceEncryptionAtCreation",
							"Effect": "Allow",
							"Action": "elasticfilesystem:CreateFileSystem",
							"Condition": {
								"Bool": {
									"elasticfilesystem:Encrypted": "true"
								}
							},
							"Resource": "*"
						}
					]
				}
			}
		},
		"EFSMountTarget": {
			"Type": "AWS::EFS::MountTarget",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"SubnetId": {
					"Ref": "MountTargetSubnet"
				},
				"SecurityGroups": [
					{
						"Fn::GetAtt": [
							"MountTargetVPC",
							"DefaultSecurityGroup"
						]
					}
				]
			}
		},
		"EFSAccessPoint": {
			"Type": "AWS::EFS::AccessPoint",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"PosixUser": {
					"Uid": "13234",
					"Gid": "1322",
					"SecondaryGids": [
						"1344",
						"1452"
					]
				},
				"RootDirectory": {
					"CreationInfo": {
						"OwnerGid": "708798",
						"OwnerUid": "7987987",
						"Permissions": "0755"
					},
					"Path": "/web/production"
				}
			}
		}
	}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enforce Encryption using Policies
	Resources:
	MountTargetVPC:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 172.16.0.0/16
	MountTargetSubnet:
		Type: AWS::EC2::Subnet
		Properties:
		CidrBlock: 172.16.1.0/24
		VpcId: !Ref 'MountTargetVPC'
		AvailabilityZone: us-east-1a
	EFSFileSystem:
		Type: AWS::EFS::FileSystem
		Properties:
		PerformanceMode: generalPurpose
		ThroughputMode: bursting
		FileSystemPolicy:
			Version: '2012-10-17'
			Statement:
			- Sid: EnforceEncryptionAtCreation
				Effect: Allow
				Action: elasticfilesystem:CreateFileSystem
				Condition:
				Bool:
					elasticfilesystem:Encrypted: 'true'
				Resource: '*'
	EFSMountTarget:
		Type: AWS::EFS::MountTarget
		Properties:
		FileSystemId: !Ref 'EFSFileSystem'
		SubnetId: !Ref 'MountTargetSubnet'
		SecurityGroups:
			- !GetAtt 'MountTargetVPC.DefaultSecurityGroup'
	EFSAccessPoint:
		Type: AWS::EFS::AccessPoint
		Properties:
		FileSystemId: !Ref 'EFSFileSystem'
		PosixUser:
			Uid: '13234'
			Gid: '1322'
			SecondaryGids:
			- '1344'
			- '1452'
		RootDirectory:
			CreationInfo:
			OwnerGid: '708798'
			OwnerUid: '7987987'
			Permissions: '0755'
			Path: /web/production

Using Terraform (AWS Provider)

Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_efs_file_system" "efs-file-system" {
	creation_token   = "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
	performance_mode = "generalPurpose"
	throughput_mode  = "bursting"
}

# Enforce Encryption using Policies
resource "aws_efs_file_system_policy" "file-system-policy" {
	file_system_id = aws_efs_file_system.efs-file-system.id
	policy = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "EnforceEncryptionAtCreation",
				"Effect": "Allow",
				"Action": "elasticfilesystem:CreateFileSystem",
				"Condition": {
					"Bool": {
						"elasticfilesystem:Encrypted": "true"
					}
				},
				"Resource": "*"
			}
		]
	}
	POLICY
}

resource "aws_efs_mount_target" "efs-mount-target" {
	file_system_id  = aws_efs_file_system.efs-file-system.id
	subnet_id       = "subnet-0abcd1234abcd1234"
	security_groups = ["sg-01234abcd1234abcd"]
}

resource "aws_efs_access_point" "efs-access-point" {
	file_system_id = aws_efs_file_system.efs-file-system.id
}

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.
In the navigation panel, under Access management, choose Policies.
Click on the Create policy button from the console top menu to initiate the setup process.
On the Create policy configuration page, select the JSON tab, and paste the following policy document. The IAM policy listed below implements the following combination of elements: "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", and "Condition": {"Bool": {"elasticfilesystem:Encrypted": "true"}}, to force the associated IAM user to follow security best practices and create only encrypted Amazon EFS file systems in your AWS account. Once this policy is implemented, if the associated IAM user tries to create an unencrypted Amazon EFS file system, the request fails:
```
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "EnforceEncryptionAtCreation",
			"Effect": "Allow",
			"Action": "elasticfilesystem:CreateFileSystem",
			"Condition": {
				"Bool": {
					"elasticfilesystem:Encrypted": "true"
				}
			},
			"Resource": "*"
		}
	]
}
```
Select Next: Tags and use the Add tag button to configure tags for the new IAM policy.
Select Next: Review and provide a unique name and a description for your new policy in the Nameand Descriptionboxes.
Choose Create policy to create your new Amazon IAM policy.
In the navigation panel, under Access management, choose Users.
Click on the name of the Amazon IAM user that you want to reconfigure.
Select the Permissions tab and choose Add permissions to attach the new IAM policy.
On the Add permissions to <iam-user-name> configuration page, choose the Attach existing policies directly tab, and use the Search box to find and select the managed IAM policy created at the previous steps. Once the policy is selected, choose Next: Review, review the policy information, then choose Add permissions to attach your policy to the selected IAM user.
Repeat steps no. 10 – 12 to enforce other IAM users available in your AWS account to create encrypted Amazon EFS file systems.

Using AWS CLI

Define the required set of permissions that forces the associated IAM user to follow security best practices and create only encrypted Amazon EFS file systems within your AWS account. Once the policy is implemented, if the associated IAM user tries to create an unencrypted EFS file system resource, the request should fail and throw the following error: "User: arn:aws:iam::<aws-account-id>:user/<iam-user-name> is not authorized to perform: elasticfilesystem:CreateFileSystem on the specified resource". Save the following IAM policy to a JSON document named enforce-efs-encryption-policy.json:
```
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "EnforceEncryptionAtCreation",
			"Effect": "Allow",
			"Action": "elasticfilesystem:CreateFileSystem",
			"Condition": {
				"Bool": {
					"elasticfilesystem:Encrypted": "true"
				}
			},
			"Resource": "*"
		}
	]
}
```
Run create-policy command (OSX/Linux/UNIX) using the policy document defined at the previous step, to create the customer-managed policy that should enforce encryption at rest for new Amazon EFS file system resources:
```
aws iam create-policy
  --policy-name enforce-efs-encryption-policy
  --policy-document file://enforce-efs-encryption-policy.json
```

The command output should return the metadata for the new managed policy:

{
	"Policy": {
		"PolicyName": "enforce-efs-encryption-policy",
		"PermissionsBoundaryUsageCount": 0,
		"CreateDate": "2023-01-106T10:00:00Z",
		"AttachmentCount": 0,
		"IsAttachable": true,
		"PolicyId": "ABCDABCDABCDABCDABCD",
		"DefaultVersionId": "v1",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:policy/enforce-efs-encryption-policy",
		"UpdateDate": "2023-01-106T10:00:00Z"
	}
}

Run attach-user-policy command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to reconfigure as the identifier parameter, to attach the managed IAM policy created at the previous steps:
```
aws iam attach-user-policy
  --user-name cc-stack-manager
  --policy-arn arn:aws:iam::123456789012:policy/enforce-iac-managed-policy
```
Repeat steps no. 1 – 4 to enforce other IAM users available in your AWS account to create encrypted Amazon EFS file systems.

References

AWS Announcements
Enforce encryption for Amazon Elastic File System resources using AWS IAM

AWS Command Line Interface (CLI) Documentation
list-users
list-attached-user-policies
get-policy-version
list-user-policies
get-user-policy
create-policy
attach-user-policy

Publication date Jan 17, 2024

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related EFS rules