Secure encryption of confidential information in AWS Elastic File System (EFS) using Customer Managed Keys (CMKs)
Resources:
MyEFSFileSystem:
Type: AWS::EFS::FileSystem
Properties:
PerformanceMode: generalPurpose
Encrypted: false
The above CloudFormation template creates an EFS file system without
specifying any encryption configuration.
By default, AWS EFS encrypts data at rest using a default AWS-managed KMS
key. While this provides some level of protection, it does not give the
customer full control over key management. If the default key is ever
compromised, data confidentiality could be at risk.
To follow best practices and meet compliance requirements, it is
recommended to use a Customer Managed Key (CMK) so that you control the
lifecycle and access policies of the encryption key.
Resources:
EFSEncryptionKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key for EFS encryption
Enabled: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: "kms:*"
Resource: "*"
PendingWindowInDays: 7
MyEFSFileSystem:
Type: AWS::EFS::FileSystem
Properties:
PerformanceMode: generalPurpose
Encrypted: true
KmsKeyId: !Ref EFSEncryptionKey
The above CloudFormation template first creates a Customer Managed Key
(CMK) using the AWS::KMS::Key resource. The key includes a 7-day deletion
window, allowing recovery in case of accidental deletion.
The EFS file system is then created with encryption enabled, using the CMK
ARN specified via the KmsKeyId property. This ensures that data is
encrypted with a customer-controlled key, improving control and security
over confidential data.