Non-encrypted confidential information - EFS
Need
Secure encryption of confidential information in AWS Elastic File System (EFS) using Customer Managed Keys (CMKs)
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of aws-sdk for interacting with AWS services and resources
Description
Non compliant code
resource "aws_efs_file_system" "example" {
creation_token = "my-product"
}
The above code creates an AWS Elastic File System (EFS) instance using Terraform. However, the code is vulnerable because it does not specify any encryption configuration. By default, AWS EFS instances are encrypted with a default KMS key provided by AWS.
This might be a potential security risk because the default KMS key is managed by AWS, not by the customer. This means that the customer does not have full control over the encrypted information. If the default KMS key is compromised, the data stored in the EFS instance could be at risk.
Best practices recommend using Customer Managed Keys (CMKs) for encryption. With CMKs, the customer has full control over the key management, including key creation, rotation, and deletion. This can significantly reduce the risk of exposure of the encrypted information.
To fix this vulnerability, you should specify a KMS key id in the kms_key_id argument when creating the EFS instance. The KMS key should be a Customer Managed Key.
Steps
- Create a Customer Managed Key (CMK) in AWS Key Management Service (KMS)
- Enable encryption for the AWS Elastic File System (EFS) resource
- Specify the CMK ARN (Amazon Resource Name) in the encryption configuration of the EFS resource
Compliant code
resource "aws_kms_key" "efs_encryption_key" {
description = "KMS key for EFS encryption"
deletion_window_in_days = 7
}
resource "aws_efs_file_system" "example" {
creation_token = "my-product"
kms_key_id = aws_kms_key.efs_encryption_key.arn
encrypted = true
}
The above code first creates a Customer Managed Key (CMK) using the aws_kms_key resource. The description attribute is used to provide a meaningful name for the key, and deletion_window_in_days is set to 7 days. This means that when this key is deleted, AWS will retain the key for an additional 7 days during which you can recover the key if it was deleted by mistake.
Next, the aws_efs_file_system resource is updated to use the newly created CMK for encryption. The kms_key_id attribute is set to the ARN of the CMK, and the encrypted attribute is set to true to enable encryption.
This change ensures that the EFS file system is encrypted using a CMK, giving you full control over the encryption and decryption of your data. This is a best practice for securing sensitive data in AWS EFS.