Skip to main content

More Info:

Ensure that your Amazon EFS file systems are encrypted in order to meet security and compliance requirements. Your data is transparently encrypted while being written and transparently decrypted while being read from your file system, therefore the encryption process does not require any additional action from you or your application. Encryption keys are managed by AWS KMS service, eliminating the need to build and maintain a secure key management infrastructure.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, GDPR, CISAWS, CBP, NIST

Triage and Remediation

Remediation

Using Console

To remediate the EFS Encryption Enabled misconfiguration in AWS, you can follow the below steps:
  1. Open the AWS Management Console and navigate to the Amazon Elastic File System (EFS) service.
  2. Select the EFS file system that needs to be remediated.
  3. Click on the “Actions” button and select “Modify file system”.
  4. In the “Modify file system” window, scroll down to the “Encryption” section.
  5. Disable the encryption by selecting “No” for the “Encrypt file system” option.
  6. Click on the “Modify” button to save the changes.
  7. Once the changes are saved, the EFS file system will be unencrypted.
Note: If you need to encrypt the EFS file system, you can follow the same steps and select “Yes” for the “Encrypt file system” option in step 5.

To remediate the misconfiguration of EFS Encryption Enabled in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to get a list of all the EFS file systems in your AWS account: 
aws efs describe-file-systems
  1. Identify the EFS file system that has encryption disabled.
  2. Run the following command to enable encryption for the identified EFS file system: 
aws efs update-file-system --file-system-id <file-system-id> --encrypted
Replace <file-system-id> with the ID of the EFS file system that you want to enable encryption for.
  1. Verify that encryption is enabled for the EFS file system by running the following command:
aws efs describe-file-systems --file-system-id <file-system-id> --query "FileSystems[*].Encrypted"
Replace <file-system-id> with the ID of the EFS file system that you enabled encryption for.
  1. Repeat the above steps for all the EFS file systems in your AWS account that have encryption disabled.
By following these steps, you can remediate the misconfiguration of EFS Encryption Enabled in AWS using AWS CLI.
To remediate the EFS Encryption Enabled misconfiguration in AWS using Python, follow these steps:
  1. Open the AWS console and navigate to the EFS service.
  2. Select the EFS file system that has encryption enabled.
  3. Click on the “Modify” button in the top menu bar.
  4. Scroll down to the “Encryption” section and select “No” in the “Encryption” dropdown menu.
  5. Click on the “Save” button to disable encryption for the EFS file system.
To do this programmatically using Python, you can use the AWS SDK for Python (Boto3) to modify the encryption setting for the EFS file system. Here’s an example code snippet to disable encryption for an EFS file system:
import boto3

# Create an EFS client
efs = boto3.client('efs')

# Set the EFS file system ID
file_system_id = 'fs-12345678'

# Disable encryption for the EFS file system
response = efs.modify_file_system(
    FileSystemId=file_system_id,
    Encrypted=False
)

# Print the response
print(response)
Make sure to replace fs-12345678 with the actual ID of the EFS file system that you want to remediate.

Additional Reading: