Walkthrough: Enforcing Encryption on an Amazon EFS File System at Rest - Amazon Elastic File System
Enforcing Encryption at Rest
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Walkthrough: Enforcing Encryption on an Amazon EFS File System at Rest

Following, you can find details about how to enforce encryption at rest using Amazon CloudWatch and Amazon CloudTrail. This walkthrough is based upon the Amazon white paper Encrypt Data at Rest with Amazon EFS Encrypted File Systems.

Note

The method for enforcing the creation of Amazon EFS file systems that are encrypted at rest described in this walkthrough is deprecated. The preferred method to enforce the creation of file systems that are encrypted at rest is to use the elasticfilesystem:Encrypted condition key in Amazon Identity and Access Management identity-based policies. For more information, see Example: Enforce the creation of encrypted file systems. You can use this walkthrough to create CloudWatch alarms to validate that your IAM policies are preventing the creation of unencrypted file systems.

Enforcing Encryption at Rest

Your organization might require the encryption at rest of all data that meets a specific classification or that is associated with a particular application, workload, or environment. You can enforce policies for data encryption at rest for Amazon EFS file systems by using detective controls. These controls detect the creation of a file system and verify that encryption at rest is enabled.

If a file system that doesn't have encryption at rest is detected, you can respond in a number of ways. These range from deleting the file system and mount targets to notifying an administrator.

If you want to delete an unencrypted-at-rest file system but want to retain the data, first create a new encrypted-at-rest file system. Next, copy the data over to the new encrypted-at-rest file system. After the data is copied over, you can delete the unencrypted-at-rest file system.

Detecting File Systems That are Unencrypted at Rest

You can create a CloudWatch alarm to monitor CloudTrail logs for the CreateFileSystem event. You can then trigger the alarm to notify an administrator if the file system that was created was unencrypted at rest.

Create a Metric Filter

To create a CloudWatch alarm that is triggered when an unencrypted Amazon EFS file system is created, use the following procedure.

Before you begin, you must have an existing trail created that is sending CloudTrail logs to a CloudWatch Logs log group. For more information, see Sending Events to CloudWatch Logs in the Amazon CloudTrail User Guide.

To create a metric filter

  1. Open the CloudWatch console at https://console.amazonaws.cn/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, choose the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter page, choose Filter Pattern and then type the following:

    { ($.eventName = CreateFileSystem) && ($.responseElements.encrypted IS FALSE) }

  6. Choose Assign Metric.

  7. For Filter Name, type UnencryptedFileSystemCreated.

  8. For Metric Namespace, type CloudTrailMetrics.

  9. For Metric Name, type UnencryptedFileSystemCreatedEventCount.

  10. Choose Show advanced metric settings.

  11. For Metric Value, type 1.

  12. Choose Create Filter.

Create an Alarm

After you create the metric filter, use the following procedure to create an alarm.

To create an alarm

  1. On the Filters for the Log_Group_Name page, next to the UnencryptedFileSystemCreated filter name, choose Create Alarm.

  2. On the Create Alarm page, set the following parameters:

    • For Name, type Unencrypted File System Created

    • For Whenever, do the following:

      • Set is to > = 1

      • Set for: to 1 consecutive period(s).

    • For Treat missing data as, choose good (not breaching threshold).

    • For Actions, do the following:

      • For Whenever this alarm, choose State is ALARM.

      • For Send notification to, choose NotifyMe, choose New list, and then type a unique topic name for this list.

      • For Email list, type in the email address where you want notifications sent. You should receive an email at this address to confirm that you created this alarm.

    • For Alarm Preview, do the following:

      • For Period, choose 1 Minute.

      • For Statistic, choose Standard and Sum.

  3. Choose Create Alarm.

Test the Alarm for the Creation of Unencrypted File Systems

You can test the alarm by creating an unencrypted-at-rest file system, as follows.

To test the alarm by creating an unencrypted-at-rest file system

  1. Open the Amazon EFS console at https://console.amazonaws.cn/efs.

  2. Choose Create File System.

  3. From the VPC list, choose your default VPC.

  4. Choose all the Availability Zones. Ensure that the default subnets, automatic IP addresses, and the default security groups are chosen. These are your mount targets.

  5. Choose Next Step.

  6. Name your file system and keep Enable encryption unchecked to create an unencrypted file system.

  7. Choose Next Step.

  8. Choose Create File System.

Your trail logs the CreateFileSystem operation and delivers the event to your CloudWatch Logs log group. The event triggers your metric alarm and CloudWatch Logs sends you a notification about the change.