EFS allows for insecure mounts, leaving communications between host machines and remote file systems unencrypted.
Amazon EFS (Elastic File System) provides a scalable file storage solution for use within an Amazon VPC (Virtual Private Cloud). It is a cloud-native equivalent of traditional network file storage, and as such requires both encryption at rest and encryption of in transit traffic to ensure that data is secure.
Just like with on-premises network file storage, failing to encrypt these connections can expose your data to eavesdropped packets. In an AWS VPC, any machine on the network route can read unencrypted communications, including the hypervisor and any Traffic Mirroring sessions. If these connections use an unencrypted protocol, data could be transmitted in plain text, allowing unauthorised third parties to access sensitive data as it is sent.
Encryption for EFS connections uses an application intermediary on each server to configure an encrypted connection between AWS EFS File Systems and client machines. This is usually the stunnel
utility which creates a TLS communication wrapper for the NFS connection. This utility it configured per connection meaning that every client will need to be provisioned and configured to use this facility. Once configured the encrypted tunnel is mounted to listen on a local port which is then mounted as a file system on the client. As this is a brand new mounted filesystems any consuming services may need to be reconfigured to use the new mounted connection before disconnecting the old insecure connection.
Provisioning this setup will likely involve use of automation to ensure that every service has the appropriate resources and configuration to securely connect to the provided EFS file system. For automation patterns and help with your migration process order a SkySiege scan to detect your unencrypted connections and the included consultation to determine your best path forward:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.