Amazon Elastic File System (EFS) file systems should be encrypted to protect sensitive data at rest.

Why is this an issue?

Amazon Elastic File System (EFS) is a serverless file system that does not require provisioning or managing storage. Stored files can be automatically encrypted by the service, but this feature is not always enabled by default. This rule raises an issue when an EFS file system is created with encryption disabled.

What is the potential impact?

If adversaries gain physical access to the storage medium or otherwise read data from the file system, for example through a vulnerability in the service, they can access the data. This could result in the exposure of sensitive information such as personal data, credentials, or business-critical files.

How to fix it

Code examples

Encryption and decryption are handled transparently by EFS, so no further modifications to the application are necessary.

Noncompliant code example

For aws_efs_file_system:

resource "aws_efs_file_system" "fs" {  # Noncompliant: encryption disabled by default
}

Compliant solution

For aws_efs_file_system:

resource "aws_efs_file_system" "fs" {
  encrypted = true
}

Resources

Documentation

• AWS Documentation - Data encryption in Amazon EFS

Standards

• CWE - CWE-311 - Missing Encryption of Sensitive Data