Amazon Elastic File System
User Guide

Walkthrough: Enforcing Encryption on an Amazon EFS File System at Rest

Following, you can find details about how to enforce encryption at rest using Amazon CloudWatch and AWS CloudTrail. This walkthrough is based upon the AWS whitepaper Encrypt Data at Rest with Amazon EFS Encrypted File Systems.


Currently, you can't enforce encryption in transit.

Enforcing Encryption at Rest

Your organization might require the encryption at rest of all data that meets a specific classification or that is associated with a particular application, workload, or environment. You can enforce policies for data encryption at rest for Amazon EFS file systems by using detective controls. These controls detect the creation of a file system and verify that encryption at rest is enabled.

If a file system that doesn't have encryption at rest is detected, you can respond in a number of ways. These range from deleting the file system and mount targets to notifying an administrator.

If you want to delete an unencrypted-at-rest file system but want to retain the data, first create a new encrypted-at-rest file system. Next, copy the data over to the new encrypted-at-rest file system. After the data is copied over, you can delete the unencrypted-at-rest file system.

Detecting Files Systems That Are Unencrypted at Rest

You can create an CloudWatch alarm to monitor CloudTrail logs for the CreateFileSystem event. You can then trigger the alarm to notify an administrator if the file system that was created was unencrypted at rest.

Create a Metric Filter

To create a CloudWatch alarm that is triggered when an unencrypted Amazon EFS file system is created, use the following procedure.

Before you begin, you must have an existing trail created that is sending CloudTrail logs to a CloudWatch Logs log group. For more information, see Sending Events to CloudWatch Logs in the AWS CloudTrail User Guide.

To create a metric filter

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, choose the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter page, choose Filter Pattern and then type the following:

    { ($.eventName = CreateFileSystem) && ($.responseElements.encrypted IS FALSE) }
  6. Choose Assign Metric.

  7. For Filter Name, type UnencryptedFileSystemCreated.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type UnencryptedFileSystemCreatedEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, use the following procedure to create an alarm.

To create an alarm

  1. On the Filters for the Log_Group_Name page, next to the UnencryptedFileSystemCreated filter name, choose Create Alarm.

  2. On the Create Alarm page, set the following parameters:

    • For Name, type Unencrypted File System Created

    • For Whenever, do the following:

      • Set is to > = 1

      • Set for: to 1 consecutive period(s).

    • For Treat missing data as, choose good (not breaching threshold).

    • For Actions, do the following:

      • For Whenever this alarm, choose State is ALARM.

      • For Send notification to, choose NotifyMe, choose New list, and then type a unique topic name for this list.

      • For Email list, type in the email address where you want notifications sent. You should receive an email at this address to confirm that you created this alarm.

    • For Alarm Preview, do the following:

      • For Period, choose 1 Minute.

      • For Statistic, choose Standard and Sum.

  3. Choose Create Alarm.

Test the Alarm for the Creation of Unencrypted File Systems

You can test the alarm by creating an unencrypted-at-rest file system, as follows.

To test the alarm by creating an unencrypted-at-rest file system

  1. Open the Amazon EFS console at

  2. Choose Create File System.

  3. From the VPC list, choose your default VPC.

  4. Choose all the Availability Zones. Ensure that the default subnets, automatic IP addresses, and the default security groups are chosen. These are your mount targets.

  5. Choose Next Step.

  6. Name your file system and keep Enable encryption unchecked to create an unencrypted file system.

  7. Choose Next Step.

  8. Choose Create File System.

Your trail logs the CreateFileSystem operation and delivers the event to your CloudWatch Logs log group. The event triggers your metric alarm and CloudWatch Logs sends you a notification about the change.