> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS KMS Customer Master Keys For EFS Encryption

### More Info:

Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular control over your data-at-rest encryption/decryption process.

### Risk Level

High

### Address

Security

### Compliance Standards

ISO27001, HIPAA

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console.
        2. Navigate to the API Gateway console. You can do this by typing "API Gateway" in the search bar and selecting it from the dropdown menu.
        3. In the API Gateway console, select the API you want to check.
        4. In the API details page, select the "Stages" option from the left-hand side menu. Here, you can see all the stages of your API. Click on the stage you want to check.
        5. In the stage editor, select the "Logs/Tracing" tab. Here, you can see the "CloudWatch Settings". If the "Enable CloudWatch Logs" option is not selected, it means that AWS KMS Customer Master Keys for EFS Encryption is not enabled in API Gateway.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.

        2. Once AWS CLI is installed and configured, you can use the following command to list all the API Gateways:

           ```
           aws apigateway get-rest-apis
           ```

           This command will return a list of all the API Gateways along with their details.

        3. Now, to check the AWS KMS Customer Master Keys for EFS Encryption, you need to list all the resources of each API Gateway. You can do this by using the following command:

           ```
           aws apigateway get-resources --rest-api-id <rest-api-id>
           ```

           Replace `<rest-api-id>` with the ID of the API Gateway you want to check. This command will return a list of all the resources of the specified API Gateway.

        4. Finally, for each resource, you need to check the `aws:kms:KeyArn` property. If this property is not set or is set to a key that is not a Customer Master Key, then the EFS Encryption is misconfigured. You can do this by using the following command:

           ```
           aws apigateway get-integration --rest-api-id <rest-api-id> --resource-id <resource-id> --http-method <http-method>
           ```

           Replace `<rest-api-id>`, `<resource-id>`, and `<http-method>` with the ID of the API Gateway, the ID of the resource, and the HTTP method of the integration, respectively. This command will return the details of the integration, including the `aws:kms:KeyArn` property.
      </Accordion>

      <Accordion title="Using Python">
        1. Install and configure AWS SDK for Python (Boto3) on your local system. This will allow you to interact with AWS services using Python.

        ```python theme={null}
        pip install boto3
        aws configure
        ```

        2. Create a Python script that uses Boto3 to list all the API Gateways in your AWS account.

        ```python theme={null}
        import boto3

        def list_api_gateways():
            client = boto3.client('apigateway')
            response = client.get_rest_apis()
            return response['items']

        api_gateways = list_api_gateways()
        ```

        3. For each API Gateway, check if the EFS encryption is enabled. If the EFS encryption is not enabled, the API Gateway is misconfigured.

        ```python theme={null}
        def check_efs_encryption(api_gateways):
            client = boto3.client('kms')
            misconfigured_gateways = []
            for gateway in api_gateways:
                try:
                    response = client.describe_key(KeyId=gateway['id'])
                    if response['KeyMetadata']['KeyState'] != 'Enabled':
                        misconfigured_gateways.append(gateway['name'])
                except Exception as e:
                    print(f"Error checking EFS encryption for {gateway['name']}: {e}")
            return misconfigured_gateways

        misconfigured_gateways = check_efs_encryption(api_gateways)
        ```

        4. Print out the names of the misconfigured API Gateways.

        ```python theme={null}
        print("Misconfigured API Gateways:")
        for gateway in misconfigured_gateways:
            print(gateway)
        ```

        This script will list all the API Gateways in your AWS account and check if the EFS encryption is enabled for each one. If the EFS encryption is not enabled, the script will print out the name of the API Gateway.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step-by-step instructions to remediate the misconfiguration of KMS Customer Master Keys for EFS Encryption in AWS using the AWS console:

        1. Log in to the AWS Management Console and navigate to the Amazon EFS service.

        2. Select the EFS file system that is currently using the default AWS-managed CMK for encryption.

        3. Click on the "Modify" button in the top menu bar.

        4. In the "Modify File System" page, scroll down to the "Encryption" section.

        5. Select "Customer managed CMK" from the "Key Management" drop-down menu.

        6. Choose the desired KMS Customer Master Key from the "Select a CMK" drop-down menu.

        7. Click on the "Save" button to save the changes.

        8. Once the changes are saved, the EFS file system will start using the selected KMS Customer Master Key for encryption.

        9. Repeat the above steps for all the other EFS file systems that are currently using the default AWS-managed CMK for encryption.

        By following the above steps, you can remediate the misconfiguration of KMS Customer Master Keys for EFS Encryption in AWS using the AWS console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        The misconfiguration "AWS KMS Customer Master Keys for EFS Encryption" means that the EFS file system is not using a KMS Customer Master Key (CMK) for encryption. To remediate this, you can follow these steps using AWS CLI:

        1. Create a KMS Customer Master Key (CMK) if you don't have one already:

        ```
        aws kms create-key --description "EFS CMK"
        ```

        2. Enable the key for EFS use:

        ```
        aws kms enable-key --key-id <kms_key_id> --key-usage ENCRYPT_DECRYPT --grant-permissions "GranteePrincipal=ec2.amazonaws.com,Operations=['Encrypt','Decrypt']"
        ```

        Note: Replace `<kms_key_id>` with the ID of the KMS CMK created in step 1.

        3. Modify the EFS file system to use the KMS CMK:

        ```
        aws efs update-file-system --file-system-id <efs_file_system_id> --encrypted --kms-key-id <kms_key_id>
        ```

        Note: Replace `<efs_file_system_id>` with the ID of the EFS file system and `<kms_key_id>` with the ID of the KMS CMK created in step 1.

        4. Verify that the EFS file system is using the KMS CMK for encryption:

        ```
        aws efs describe-file-systems --file-system-id <efs_file_system_id> --query "FileSystems[*].KmsKeyId"
        ```

        Note: Replace `<efs_file_system_id>` with the ID of the EFS file system.

        If the output of the command in step 4 shows the KMS CMK ID, then the remediation is successful.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of using AWS KMS Customer Master Keys for EFS Encryption, you can follow the below steps using Python:

        Step 1: Create a new AWS KMS Customer Master Key (CMK) for EFS Encryption.

        ```
        import boto3

        kms = boto3.client('kms')

        response = kms.create_key(
            Description='EFS CMK',
            KeyUsage='ENCRYPT_DECRYPT',
            Origin='AWS_KMS',
            CustomerMasterKeySpec='SYMMETRIC_DEFAULT'
        )

        key_id = response['KeyMetadata']['KeyId']
        ```

        Step 2: Update the EFS file system to use the new CMK for encryption.

        ```
        efs = boto3.client('efs')

        response = efs.update_file_system(
            FileSystemId='fs-12345678',
            Encrypted=True,
            KmsKeyId=key_id
        )
        ```

        Step 3: Enable EFS encryption for all new file systems using the new CMK.

        ```
        response = efs.put_account_preferences(
            ResourceId='123456789012',
            Encrypted=True,
            KmsKeyId=key_id
        )
        ```

        Note: Replace `fs-12345678` with the ID of the EFS file system you want to update, and `123456789012` with your AWS account ID.

        By following these steps, you can remediate the misconfiguration of using AWS KMS Customer Master Keys for EFS Encryption.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html](https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html)
