Amazon Elastic File System controls
These controls are related to Amazon EFS resources.
[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type:
AWS::EFS::FileSystem
AWS Config rule:
efs-encrypted-check
Schedule type: Periodic
Parameters: None
This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. The check fails in the following cases.
-
Encrypted
is set tofalse
in theDescribeFileSystems
response. -
The
KmsKeyId
key in theDescribeFileSystems
response does not match theKmsKeyId
parameter forefs-encrypted-check
.
Note that this control does not use the KmsKeyId
parameter for efs-encrypted-check
. It only checks the value of
Encrypted
.
For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system. To learn more about Amazon EFS encryption, see Data encryption in Amazon EFS in the Amazon Elastic File System User Guide.
This control isn't supported in the following Regions:
Africa (Cape Town)
-
Asia Pacific (Hyderabad)
Asia Pacific (Jakarta)
Asia Pacific (Osaka)
Europe (Milan)
-
Europe (Spain)
-
Europe (Zurich)
Middle East (UAE)
Remediation
For details on how to encrypt a new Amazon EFS file system, see Encrypting data at rest in the Amazon Elastic File System User Guide.
[EFS.2] Amazon EFS volumes should be in backup plans
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > Backup
Severity: Medium
Resource type:
AWS::EFS::FileSystem
AWS Config rule:
efs-in-backup-plan
Schedule type: Periodic
Parameters: None
This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans.
Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss.
This control isn't supported in the following Regions:
-
Africa (Cape Town)
-
Asia Pacific (Hyderabad)
Asia Pacific (Jakarta)
Asia Pacific (Osaka)
Europe (Milan)
-
Europe (Spain)
-
Europe (Zurich)
Middle East (UAE)
-
AWS GovCloud (US-East)
-
AWS GovCloud (US-West)
Remediation
To remediate this issue, update your file system to enable automatic backups.
To enable automatic backups for an existing file system
Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/
. -
On the File systems page, choose the file system for which to enable automatic backups.
The File system details page is displayed.
-
Under General, choose Edit.
-
To enable automatic backups, select Enable automatic backups.
-
Choose Save changes.
To learn more, visit Using AWS Backup with Amazon EFS in the Amazon Elastic File System User Guide.
[EFS.3] EFS access points should enforce a root directory
Related requirements: NIST.800-53.r5 AC-6(10)
Category: Protect > Secure access management
Severity: Medium
Resource type:
AWS::EFS::AccessPoint
AWS Config rule:
efs-access-point-enforce-root-directory
Schedule type: Change triggered
Parameters: None
This control checks if Amazon EFS access points are configured to enforce a root directory. The
control fails if the value of Path
is set to /
(the default root directory of the file system).
When you enforce a root directory, the NFS client using the access point uses the root directory configured on the access point instead of the file system's root directory. Enforcing a root directory for an access point helps restrict data access by ensuring that users of the access point can only reach files of the specified subdirectory.
This control isn't supported in the following Regions:
-
Asia Pacific (Hyderabad)
-
Asia Pacific (Jakarta)
-
China (Beijing)
-
China (Ningxia)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
-
AWS GovCloud (US-East)
-
AWS GovCloud (US-West)
Remediation
For instructions on how to enforce a root directory for an Amazon EFS access point, see Enforcing a root directory with an access point in the Amazon Elastic File System User Guide.
[EFS.4] EFS access points should enforce a user identity
Related requirements: NIST.800-53.r5 AC-6(2)
Category: Protect > Secure access management
Severity: Medium
Resource type:
AWS::EFS::AccessPoint
AWS Config rule:
efs-access-point-enforce-user-identity
Schedule type: Change triggered
Parameters: None
This control checks whether Amazon EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point.
Amazon EFS access points are application-specific entry points into an EFS file system that make it easier to manage application access to shared datasets. Access points can enforce a user identity, including the user's POSIX groups, for all file system requests that are made through the access point. Access points can also enforce a different root directory for the file system so that clients can only access data in the specified directory or its subdirectories.
This control isn't supported in the following Regions:
-
Asia Pacific (Hyderabad)
-
Asia Pacific (Jakarta)
-
China (Beijing)
-
China (Ningxia)
-
Europe (Spain)
-
Europe (Zurich)
-
Middle East (UAE)
-
AWS GovCloud (US-East)
-
AWS GovCloud (US-West)
Remediation
To enforce a user identity for an Amazon EFS access point, see Enforcing a user identity using an access point in the Amazon Elastic File System User Guide.