Encryption best practices for Amazon EFS
Amazon Elastic File System (Amazon EFS) helps you create and configure shared file systems in the AWS Cloud.
Consider the following encryption best practices for this service:
-
In AWS Config, implement the efs-encrypted-check AWS managed rule. This rule checks if Amazon EFS is configured to encrypt the file data using AWS KMS.
-
Enforce encryption for Amazon EFS file systems by creating an Amazon CloudWatch alarm that monitors CloudTrail logs for
CreateFileSystem
events and triggers an alarm if an unencrypted file system is created. For more information, see Walkthrough: Enforcing Encryption on an Amazon EFS File System at Rest. -
Mount the file system by using the EFS mount helper. This sets up and maintains a TLS 1.2 tunnel between the client and the Amazon EFS service and routes all Network File System (NFS) traffic over this encrypted tunnel. The following command implements the use of TLS for in-transit encryption.
sudo mount -t efs -o tls file-system-id:/ /mnt/efs
For more information, see Using EFS mount helper to mount EFS file systems.
-
Using AWS PrivateLink, implement interface VPC endpoints to establish a private connection between VPCs and the Amazon EFS API. Data in transit over the VPN connection to and from the endpoint is encrypted. For more information, see Access an AWS service using an interface VPC endpoint.
-
Use the
elasticfilesystem:Encrypted
condition key in IAM identity-based policies to prevent users from creating EFS file systems that aren't encrypted. For more information, see Using IAM to enforce creating encrypted file systems. -
KMS keys used for EFS encryption should be configured for least-privilege access by using resource-based key policies.
-
Use the
aws:SecureTransport
condition key in the EFS file system policy to enforce use of TLS for NFS clients when connecting to an EFS file system. For more information, see Encryption of data in transit in Encrypting File Data with Amazon Elastic File System (AWS Whitepaper).