Drata validates that AWS Elastic File System (EFS) data is encrypted at rest using AWS KMS for all regions. EFS data should be encrypted at rest using AWS KMS (Key Management Service).
​
Data should be encrypted at rest to reduce the risk of a data breach via direct access to
the storage device.

This test is part of the Encryption at Rest control (DCF-54) that ensures data at rest is encrypted using strong cryptographic algorithms.

If Drata finds that AWS one or more EFS file systems are not encrypted at rest in one or more regions, the test will fail. Data should be encrypted at rest to reduce the risk of a data breach via direct access to the storage device.

EFS file system data at rest encryption must be turned on when creating the file system. If an EFS file system has been created without data at rest encryption enabled, then you must create another EFS file system with the correct configuration and transfer the data.

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.