Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enforce In-Transit Encryption

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon EFS file systems are configured to enforce in-transit encryption for all NFS clients connecting to the file systems. To enable encryption of data in transit using SSL/TLS, configure the "aws:SecureTransport" condition key within the file system policy to enforce the NFS clients to use SSL/TLS when accessing your Amazon EFS file systems.

Security

When working with production data, it is strongly recommended to enforce in-transit encryption in order to protect your EFS data from unauthorized access and fulfill compliance requirements for data encryption in your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used in Financial Services, Healthcare, and Telecommunications sectors.

Audit

To determine if your Amazon EFS file systems are configured to enforce in-transit encryption, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.

  3. In the main navigation panel, under Elastic File System, choose File systems.

  4. Click on the name/ID (link) of the EFS file system that you want to examine.

  5. Select the File system policy tab and check the Policy document for a condition element key named "aws:SecureTransport". If the "aws:SecureTransport" key is not found, the file system associated with the verified policy is not configured to enforce in-transit encryption. If the "aws:SecureTransport" condition key is defined, check the "Effect" element value configured for the appropriate statement. If the "Effect" element is set to "Allow" and the "aws:SecureTransport" key is set to "false", in-transit encryption is not enforced. If the "Effect" is set to "Deny" and the "aws:SecureTransport" key is set to "true", in-transit encryption is also disabled for the selected Amazon EFS file system.

  6. Repeat steps no. 4 and 5 for each Amazon EFS file system available within the current AWS region.

  7. Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

  1. Run describe-file-systems command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EFS file system provisioned in the selected AWS region:

    aws efs describe-file-systems
  --region us-east-1
  --output table
  --query 'FileSystems[*].FileSystemId'

  2. The command output should return a table with the requested file system ID(s):

    --------------------------
|   DescribeFileSystems  |
+------------------------+
|  fs-0abcd1234abcd1234  |
|  fs-01234abcd1234abcd  |
+------------------------+

  3. Run describe-file-system-policy command (OSX/Linux/UNIX) using the ID of the EFS file system that you want to examine as the identifier parameter and the custom query filters to describe the access policy defined for the selected file system:

    aws efs describe-file-system-policy
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --query 'Policy'

  4. The command request should return the access policy document associated with the selected EFS file system:

    1. If the following error message is returned: "An error occurred (PolicyNotFound) when calling the DescribeFileSystemPolicy operation: None", the selected Amazon EFS file system does not have an access policy attached.
    2. If the "aws:SecureTransport" condition element key is not defined within the associated policy, as shown in the example below, the selected Amazon EFS file system is not configured to enforce in-transit encryption: 
      	{
		"Version": "2012-10-17",
		"Id": "efs-policy-wizard-abcd1234-1234abcd",
		"Statement": [
			{
				"Sid": "efs-read-only-access",
				"Effect": "Allow",
				"Principal": {
					"AWS": "*"
				},
				"Action": [
					"elasticfilesystem:ClientRootAccess",
					"elasticfilesystem:ClientMount"
				],
				"Condition": {
					"Bool": {
						"elasticfilesystem:AccessedViaMountTarget": "true"
					}
				}
			}
		]
	}
    3. If the "aws:SecureTransport" condition key is defined for the access policy, check the "Effect" element value configured for the corresponding policy statement.
      • If the "Effect" element is set to "Allow" and the "aws:SecureTransport" key is set to "false", as shown in the example below, in-transit encryption is not enforced for the selected file system: 
        	{
		"Version": "2012-10-17",
		"Id": "cc-efs-policy",
		"Statement": [
		... 
			{
				"Sid": "efs-encrypted",
				"Effect": "Allow",
				"Principal": {
					"AWS": "*"
				},
				"Action": [
					"elasticfilesystem:ClientMount",
					"elasticfilesystem:ClientRootAccess",
					"elasticfilesystem:ClientWrite"
				],
				"Condition": {
					"Bool": {
						"aws:SecureTransport": "false"
					}
				}
			}
		... 
		]
	}
      • If the "Effect" is set to "Deny" and the "aws:SecureTransport" condition key is set to "true", as shown in the example below, in-transit encryption is also disabled for the selected Amazon EFS file system: 
        	{
		"Version": "2012-10-17",
		"Id": "cc-efs-policy",
		"Statement": [
		...
			{
				"Sid": "efs-encrypted",
				"Effect": "Deny",
				"Principal": {
					"AWS": "*"
				},
				"Action": "*",
				"Condition": {
					"Bool": {
						"aws:SecureTransport": "true"
					}
				}
			}
		... 
		]
	}

  5. Repeat steps no. 3 and 4 for each Amazon EFS file system available in the selected AWS region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enforce in-transit encryption for your existing Amazon EFS file systems, perform the following operations:

Using AWS CloudFormation

  1. CloudFormation template (JSON):

    {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enforce In-Transit Encryption",
	"Resources": {
		"MountTargetVPC": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "172.16.0.0/16"
			}
		},
		"MountTargetSubnet": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"CidrBlock": "172.16.1.0/24",
				"VpcId": {
					"Ref": "MountTargetVPC"
				},
				"AvailabilityZone": "us-east-1a"
			}
		},
		"EFSFileSystem": {
			"Type": "AWS::EFS::FileSystem",
			"Properties": {
				"PerformanceMode": "generalPurpose",
				"ThroughputMode": "bursting",
				"FileSystemPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"AWS": "*"
							},
							"Action": [
								"elasticfilesystem:ClientWrite",
								"elasticfilesystem:ClientMount"
							],
							"Condition": {
								"Bool": {
									"elasticfilesystem:AccessedViaMountTarget": "true"
								}
							}
						},
						{
							"Effect": "Deny",
							"Principal": {
								"AWS": "*"
							},
							"Action": "*",
							"Condition": {
								"Bool": {
									"aws:SecureTransport": "false"
								}
							}
						}
					]
				}
			}
		},
		"EFSMountTarget": {
			"Type": "AWS::EFS::MountTarget",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"SubnetId": {
					"Ref": "MountTargetSubnet"
				},
				"SecurityGroups": [
					{
						"Fn::GetAtt": [
							"MountTargetVPC",
							"DefaultSecurityGroup"
						]
					}
				]
			}
		},
		"EFSAccessPoint": {
			"Type": "AWS::EFS::AccessPoint",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"PosixUser": {
					"Uid": "13234",
					"Gid": "1322",
					"SecondaryGids": [
						"1344",
						"1452"
					]
				},
				"RootDirectory": {
					"CreationInfo": {
						"OwnerGid": "708798",
						"OwnerUid": "7987987",
						"Permissions": "0755"
					},
					"Path": "/web/production"
				}
			}
		}
	}
}

  2. CloudFormation template (YAML):

    AWSTemplateFormatVersion: '2010-09-09'
	Description: Enforce In-Transit Encryption
	Resources:
	MountTargetVPC:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 172.16.0.0/16
	MountTargetSubnet:
		Type: AWS::EC2::Subnet
		Properties:
		CidrBlock: 172.16.1.0/24
		VpcId: !Ref 'MountTargetVPC'
		AvailabilityZone: us-east-1a
	EFSFileSystem:
		Type: AWS::EFS::FileSystem
		Properties:
		PerformanceMode: generalPurpose
		ThroughputMode: bursting
		FileSystemPolicy:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				AWS: '*'
				Action:
				- elasticfilesystem:ClientWrite
				- elasticfilesystem:ClientMount
				Condition:
				Bool:
					elasticfilesystem:AccessedViaMountTarget: 'true'
			- Effect: Deny
				Principal:
				AWS: '*'
				Action: '*'
				Condition:
				Bool:
					aws:SecureTransport: 'false'
	EFSMountTarget:
		Type: AWS::EFS::MountTarget
		Properties:
		FileSystemId: !Ref 'EFSFileSystem'
		SubnetId: !Ref 'MountTargetSubnet'
		SecurityGroups:
			- !GetAtt 'MountTargetVPC.DefaultSecurityGroup'
	EFSAccessPoint:
		Type: AWS::EFS::AccessPoint
		Properties:
		FileSystemId: !Ref 'EFSFileSystem'
		PosixUser:
			Uid: '13234'
			Gid: '1322'
			SecondaryGids:
			- '1344'
			- '1452'
		RootDirectory:
			CreationInfo:
			OwnerGid: '708798'
			OwnerUid: '7987987'
			Permissions: '0755'
			Path: /web/production

Using Terraform (AWS Provider)

  1. Terraform configuration file (.tf):

    terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_efs_file_system" "efs-file-system" {
	creation_token   = "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
	performance_mode = "generalPurpose"
	throughput_mode  = "bursting"
}

# Enforce In-Transit Encryption
resource "aws_efs_file_system_policy" "file-system-policy" {
	file_system_id = aws_efs_file_system.efs-file-system.id
	policy = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"Principal": {
					"AWS": "*"
				},
				"Action": [
					"elasticfilesystem:ClientWrite",
					"elasticfilesystem:ClientMount"
				],
				"Condition": {
					"Bool": {
						"elasticfilesystem:AccessedViaMountTarget": "true"
					}
				}
			},
			{
				"Effect": "Deny",
				"Principal": {
					"AWS": "*"
				},
				"Action": "*",
				"Condition": {
					"Bool": {
						"aws:SecureTransport": "false"
					}
				}
			}
		]
	}
	POLICY
}

resource "aws_efs_mount_target" "efs-mount-target" {
	file_system_id  = aws_efs_file_system.efs-file-system.id
	subnet_id       = "subnet-0abcd1234abcd1234"
	security_groups = ["sg-01234abcd1234abcd"]
}

resource "aws_efs_access_point" "efs-access-point" {
	file_system_id = aws_efs_file_system.efs-file-system.id
}

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.

  3. In the main navigation panel, under Elastic File System, choose File systems.

  4. Click on the name/ID (link) of the EFS file system that you want to examine.

  5. Select the File system policy tab and choose Edit to modify the policy associated with your file system.

  6. On the File system policy configuration page, perform one of the following actions:

    1. If the selected file system does not have an access policy attached, select the Enforce in-transit encryption for all clients checkbox from the Policy options section, and choose Save to apply the predefined policy. Once attached, the policy should enforce in-transit encryption for all the NFS clients that are connecting to your file system.
    2. If the selected file system does have an access policy already defined, add the following statement to the "Statement" policy element. This will enforce in-transit encryption using SSL/TLS for all NFS clients: 
      	{
		"Sid": "efs-encrypted-in-transit",
		"Effect": "Deny",
		"Principal": {
			"AWS": "*"
		},
		"Action": "*",
		"Condition": {
			"Bool": {
				"aws:SecureTransport": "false"
			}
		}
	}

  7. Choose Saveto apply the permission changes.

  8. Repeat steps no. 4 – 7 for each Amazon EFS file system available in the selected AWS region.

  9. Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

  1. Define the EFS file system access policy that should enforce in-transit data encryption for all the NFS clients that are connecting to your EFS file system:

    1. If the specified EFS file system does not have an access policy defined, paste the following policy document to a JSON file named cc-efs-access-policy.json: 
      	{
		"Version": "2012-10-17",
		"Id": "efs-policy-wizard-1234abcd-abcd1234",
		"Statement": [
			{
				"Sid": "efs-statement-abcd1234",
				"Effect": "Allow",
				"Principal": {
					"AWS": "*"
				},
				"Action": [
					"elasticfilesystem:ClientRootAccess",
					"elasticfilesystem:ClientWrite",
					"elasticfilesystem:ClientMount"
				],
				"Condition": {
					"Bool": {
						"elasticfilesystem:AccessedViaMountTarget": "true"
					}
				}
			},
			{
				"Sid": "efs-statement-1234abcd",
				"Effect": "Deny",
				"Principal": {
					"AWS": "*"
				},
				"Action": "*",
				"Condition": {
					"Bool": {
						"aws:SecureTransport": "false"
					}
				}
			}
		]
	}
    2. If the specified file system does have an access policy already defined, add the following statement to the "Statement" element within the existing policy and save the entire policy document to a JSON file named cc-efs-access-policy.json: 
      	{
		"Sid": "efs-encrypted-in-transit",
		"Effect": "Deny",
		"Principal": {
			"AWS": "*"
		},
		"Action": "*",
		"Condition": {
			"Bool": {
				"aws:SecureTransport": "false"
			}
		}
	}

  2. Run put-file-system-policy command (OSX/Linux/UNIX) using the ID of the Amazon EFS file system that you want to reconfigure as the identifier parameter to attach the access policy defined at the previous step to the selected file system, in order to enforce in-transit encryption using SSL/TLS:

    aws efs put-file-system-policy
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --policy file://cc-efs-access-policy.json

  3. The command output should return the access policy attached to the selected file system, e.g.:

    {
	"Version": "2012-10-17",
	"Id": "efs-policy-wizard-1234abcd-abcd1234",
	"Statement": [
		{
			"Sid": "efs-statement-abcd1234",
			"Effect": "Allow",
			"Principal": {
				"AWS": "*"
			},
			"Action": [
				"elasticfilesystem:ClientRootAccess",
				"elasticfilesystem:ClientWrite",
				"elasticfilesystem:ClientMount"
			],
			"Condition": {
				"Bool": {
					"elasticfilesystem:AccessedViaMountTarget": "true"
				}
			}
		},
		{
			"Sid": "efs-statement-1234abcd",
			"Effect": "Deny",
			"Principal": {
				"AWS": "*"
			},
			"Action": "*",
			"Condition": {
				"Bool": {
					"aws:SecureTransport": "false"
				}
			}
		}
	]
}

  4. Repeat steps no. 1 – 3 for each Amazon EFS file system available in the selected AWS region.

  5. Change the AWS cloud region by updating the --regioncommand parameter value and repeat the Remediation process for other regions.

References

Publication date Jan 17, 2024

Related EFS rules