enable-at-rest-encryption
Explanation
If your organization is subject to corporate or regulatory policies that require encryption of data and metadata at rest, we recommend creating a file system that is encrypted at rest, and mounting your file system using encryption of data in transit.
Possible Impact
Data can be read from the EFS if compromised
Suggested Resolution
Enable encryption for EFS
Insecure Example
The following example will fail the AVD-AWS-0037 check.
---
Resources:
BadExample:
Type: AWS::EFS::FileSystem
Properties:
BackupPolicy:
Status: ENABLED
LifecyclePolicies:
- TransitionToIA: AFTER_60_DAYS
PerformanceMode: generalPurpose
Encrypted: false
ThroughputMode: bursting
Secure Example
The following example will pass the AVD-AWS-0037 check.
---
Resources:
GoodExample:
Type: AWS::EFS::FileSystem
Properties:
BackupPolicy:
Status: ENABLED
LifecyclePolicies:
- TransitionToIA: AFTER_60_DAYS
PerformanceMode: generalPurpose
Encrypted: true
ThroughputMode: bursting