Non-encrypted confidential information - EFS - cloudformation

Non-encrypted confidential information - EFS - cloudformation

Need

Secure encryption of confidential information in AWS Elastic File System (EFS) using Customer Managed Keys (CMKs)

Context

  • Usage of CloudFormation for Infrastructure as Code (IaC)
  • Usage of AWS resources such as EFS and KMS

Description

Non compliant code

        Resources:
  MyEFSFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      PerformanceMode: generalPurpose
      Encrypted: false
        
        

The above CloudFormation template creates an EFS file system without specifying any encryption configuration.

By default, AWS EFS encrypts data at rest using a default AWS-managed KMS key. While this provides some level of protection, it does not give the customer full control over key management. If the default key is ever compromised, data confidentiality could be at risk.

To follow best practices and meet compliance requirements, it is recommended to use a Customer Managed Key (CMK) so that you control the lifecycle and access policies of the encryption key.

Steps

  • Create a Customer Managed Key (CMK) using AWS::KMS::Key
  • Create an AWS::EFS::FileSystem resource with encryption enabled
  • Reference the CMK in the KmsKeyId property of the EFS resource

Compliant code

        Resources:
  EFSEncryptionKey:
    Type: AWS::KMS::Key
    Properties:
      Description: KMS key for EFS encryption
      Enabled: true
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action: "kms:*"
            Resource: "*"
      PendingWindowInDays: 7

  MyEFSFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      PerformanceMode: generalPurpose
      Encrypted: true
      KmsKeyId: !Ref EFSEncryptionKey
        
        

The above CloudFormation template first creates a Customer Managed Key (CMK) using the AWS::KMS::Key resource. The key includes a 7-day deletion window, allowing recovery in case of accidental deletion.

The EFS file system is then created with encryption enabled, using the CMK ARN specified via the KmsKeyId property. This ensures that data is encrypted with a customer-controlled key, improving control and security over confidential data.

References