MEDIUM EFS · CIS 2.4.1

EFS encryption at rest

Check ID: aws-efs-001

AWS-EFS-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if EFS file systems are encrypted at rest. Unencrypted EFS data can be accessed if the underlying storage is compromised.

Why it matters

EFS encryption cannot be enabled after creation, making unencrypted file systems a permanent security gap until migrated. EFS stores data on NFS-backed storage that may be shared at the hardware level across multiple AWS customers. Without encryption, data is protected only by AWS's physical security controls, with no cryptographic protection against insider threats or hardware compromise. In regulated environments, unencrypted storage of PII, PHI, or financial data violates GDPR, HIPAA, and PCI-DSS encryption-at-rest requirements. The encryption overhead on EFS is minimal (single-digit percentage performance impact) and uses AES-256, making there no practical reason to skip it on new file systems.

Common causes

EFS file systems created before AWS defaulted to encryption (pre-2020) remain unencrypted because there is no in-place encryption option. Terraform modules and CloudFormation templates that predate the encryption feature may not include the encrypted parameter. Teams migrating from on-premises NFS servers may replicate the existing unencrypted configuration without enabling AWS-native encryption.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create a new encrypted EFS (encryption cannot be added to existing):
aws efs create-file-system --encrypted --region REGION
# Migrate data from the unencrypted file system using AWS DataSync or rsync

Remediation: Terraform

resource "aws_efs_file_system" "encrypted" {
  encrypted  = true
  kms_key_id = aws_kms_key.efs.arn  # Optional: use custom KMS key
}

Compliance mapping

This check maps to CIS 2.4.1 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →
← All checks