To have more precise control over the encryption and decryption of your data-at-rest, it's important to ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys instead of the default AWS managed-keys. When you use your own KMS CMK customer-managed keys to protect your EFS file systems' data and metadata, you have complete control over who can use these keys to access the data, including the system metadata. By defining and using your own KMS CMK keys, you can create, rotate, disable, and audit the encryption keys for your file systems through the AWS KMS service. This will provide you with more granular control over the encryption/decryption process of your data-at-rest.
To ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys, you can follow these remediation steps:
- Identify EFS file systems not using customer-managed keys: You can identify the EFS file systems that are not using customer-managed keys by checking the EFS console, AWS CLI, or SDKs.
- Create or import your own KMS CMK customer-managed keys: You can create or import your own KMS CMK customer-managed keys using the AWS KMS service. Ensure that these keys have the appropriate policies and permissions set.
- Define the KMS CMK customer-managed keys for your EFS file systems: You can define the KMS CMK customer-managed keys for your EFS file systems by selecting the "configure security" option in the EFS console or by using the AWS CLI or SDKs.
- Verify that the correct KMS CMK customer-managed keys are being used: Once you have defined the KMS CMK customer-managed keys for your EFS file systems, you can verify that they are being used by checking the EFS console, AWS CLI, or SDKs.
- Update your organization's policies and procedures: After you have ensured that your EFS file systems are encrypted using KMS CMK customer-managed keys, you should update your organization's policies and procedures to ensure that all new EFS file systems use customer-managed keys.
- Regularly monitor and audit your EFS file systems: To ensure that your EFS file systems remain encrypted using customer-managed keys, you should regularly monitor and audit them. You can use AWS Config rules to check that encryption is enabled and properly configured.
By following these remediation steps, you can ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys, providing you with more granular control over the encryption/decryption process of your data-at-rest.
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.
