EFS file systems should be configured to encrypt data at rest to create a permissions barrier to accessing and copying the data, thereby reducing the impact of leaked raw data.
Amazon Web Services (AWS) Elastic File System (EFS) is a scalable file storage solution designed for use with cloud services. It serves as a network file storage system similar to traditional on-premises setups. Essentially, as a network-attached file storage option, EFS allows multiple connected servers to store and access data in a file system format suitable for both Windows and Linux machines.
The primary function of an elastic file system is to host data in various file formats, enabling easy read/write access from multiple clients. As a data storage service, it is crucial to configure the elastic file system to encrypt data at rest.
Encryption at rest ensures that the underlying physical storage, does not hold that data in a “plain text” readable format. If data is stored in plain text, anyone with access to the hard disc (or a copy of it) could easily read all the information without any barriers. To safeguard sensitive data and ensure privacy, EFS offers configuration that encrypts data at rest on EFS file systems, allowing data to be accessed and understood by connected clients while storing an encrypted version of the data on the physical disc.
In addition to protecting the data on the physical hardware, requiring encryption also adds a level of identity and access management as decryption requests require access to the encryption assets to decrypt the hardware. With encryption in place any file system or copy of that filesystem needs access to the encryption keys to become decrypted, such that an unauthorised entity without access to the encryption keys would be unable to decrypt the file system.
As a single unencrypted copy of sensitive data can lead to widespread leaks if it falls into the wrong hands having this additional layer of access control is a key blocker to preventing leaks of the underlying file system from causing. Therefore enforced encryption at rest is generally included as a requirement in most cybersecurity policies.
If creating an EFS file system using the AWS Console then encryption at rest should have been enabled automatically. This is not the case with SDK or CLI file systems, meaning that most unencrypted file systems originate from Infrastructure as Code tools such as Terraform.
The first step is to detect which of the EFS file systems are not encrypted at rest. Those that are not encrypted will need replacing via migration to a new EFS file system with encryption enabled at creation. This can be done a number of ways including via the AWS Repliation tool or via third party tools to migrate the data. Active systems attached to the unencrypted file system would need migrating to the new file system which will require a migration process that needs to be tailored for each service and how it is currently consuming the file system.
Secondly, it is worthwhile determining whether identities should be blocked from being able to create unencrypted EFS file systems. This can be done via managing IAM policies attached to users and roles that prevent the creation of unencrypted resources or via specialised Service Control Policies (SCPs) which can enforce this requirement.
Managing these policies and detection of these resources across an organisation can be difficult. Use a SkySiege Cloud Assessment to determine what is at risk and to get premade policies via our SkySiege for Organisations service:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
