Amazon Elastic File System
User Guide

Walkthrough 6: Enforcing Encryption on an Amazon EFS File System at Rest

Following, you can find details about how to enforce encryption at rest using Amazon CloudWatch and AWS CloudTrail. This walkthrough is based upon the AWS whitepaper Encrypt Data at Rest with Amazon EFS Encrypted File Systems.

Enforcing Encryption at Rest

Your organization might require the encryption of all data that meets a specific classification or is associated with a particular application, workload, or environment. You can enforce data encryption policies for Amazon EFS file systems by using detective controls that detect the creation of a file system and verify that encryption is enabled. If an unencrypted file system is detected, you can respond in a number of ways, ranging from deleting the file system and mount targets to notifying an administrator.

If you want to delete an unencrypted file system but want to retain the data, you should first create a new encrypted file system. Next, you should copy the data over to the new encrypted file system. After the data is copied over, you can delete the unencrypted file system.

Detecting Unencrypted File Systems

You can create an CloudWatch alarm to monitor CloudTrail logs for the CreateFileSystem event. You can then trigger the alarm to notify an administrator if the file system that was created was unencrypted.

Create a Metric Filter

To create a CloudWatch alarm that is triggered when an unencrypted Amazon EFS file system is created, use the following procedure.

Before you begin, you must have an existing trail created that is sending CloudTrail logs to a CloudWatch Logs log group. For more information, see Sending Events to CloudWatch Logs in the AWS CloudTrail User Guide.

To create a metric filter

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, choose the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter page, choose Filter Pattern and then type the following:

    { ($.eventName = CreateFileSystem) && ($.responseElements.encrypted IS FALSE) }
  6. Choose Assign Metric.

  7. For Filter Name, type UnencryptedFileSystemCreated.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type UnencryptedFileSystemCreatedEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, use the following procedure to create an alarm.

To create an alarm

  1. On the Filters for the Log_Group_Name page, next to the UnencryptedFileSystemCreated filter name, choose Create Alarm.

  2. On the Create Alarm page, set the following parameters:

    • For Name, type Unencrypted File System Created

    • For Whenever, do the following:

      • Set is to > = 1

      • Set for: to 1 consecutive period(s).

    • For Treat missing data as, choose good (not breaching threshold).

    • For Actions, do the following:

      • For Whenever this alarm, choose State is ALARM.

      • For Send notification to, choose NotifyMe, choose New list, and then type a unique topic name for this list.

      • For Email list, type in the email address where you want notifications sent. You should receive an email at this address to confirm that you created this alarm.

    • For Alarm Preview, do the following:

      • For Period, choose 1 Minute.

      • For Statistic, choose Standard and Sum.

  3. Choose Create Alarm.

Test the Alarm for the Creation of Unencrypted File Systems

You can test the alarm by creating an unencrypted file system, as follows.

To test the alarm by creating an unencrypted file system

  1. Open the Amazon EFS console at

  2. Choose Create File System.

  3. From the VPC list, choose your default VPC.

  4. Choose all the Availability Zones. Ensure that the default subnets, automatic IP addresses, and the default security groups are chosen. These are your mount targets.

  5. Choose Next Step.

  6. Name your file system and keep Enable encryption unchecked to create an unencrypted file system.

  7. Choose Next Step.

  8. Choose Create File System.

Your trail logs the CreateFileSystem operation and delivers the event to your CloudWatch Logs log group. The event triggers your metric alarm and CloudWatch Logs sends you a notification about the change.