enable-at-rest-encryption
Default Severity: high
Explanation
If your organization is subject to corporate or regulatory policies that require encryption of data and metadata at rest, we recommend creating a file system that is encrypted at rest, and mounting your file system using encryption of data in transit.
Possible Impact
Data can be read from the EFS if compromised
Suggested Resolution
Enable encryption for EFS
Insecure Example
The following example will fail the aws-efs-enable-at-rest-encryption check.
resource "aws_efs_file_system" "bad_example" {
name = "bar"
encrypted = false
kms_key_id = ""
}
Secure Example
The following example will pass the aws-efs-enable-at-rest-encryption check.
resource "aws_efs_file_system" "good_example" {
name = "bar"
encrypted = true
kms_key_id = "my_kms_key"
}