EFS file systems should be encrypted with CMK
Encrypting EFS with the default AWS-managed key gives you encryption at rest, but AWS controls the key lifecycle and you cannot restrict access through key policy, audit key usage independently, or rotate on your own schedule. A customer-managed CMK lets you define a granular key policy that limits which IAM principals can decrypt file system data, and every Decrypt and GenerateDataKey call appears in CloudTrail tied to your key ARN. If an attacker gains read access to the underlying EFS storage, the CMK key policy acts as a second authorization boundary.
For regulated workloads, auditors require evidence that the organization, not the cloud provider, controls the encryption key. Losing that distinction can turn a checkbox audit into a finding.
Retrofit consideration
EFS encryption is an immutable setting. You cannot enable encryption or change the KMS key on an existing file system. Retrofitting requires creating a new encrypted file system with the CMK, migrating data using AWS DataSync or rsync, updating all mount targets, and deleting the old file system.
Implementation
Choose the approach that matches how you manage Terraform.
Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.
module "efs" {
source = "nistcsf.compliance.tf/terraform-aws-modules/efs/aws"
version = ">=2.0.0"
name = "abc123"
}
module "efs" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/efs/aws"
version = ">=2.0.0"
name = "abc123"
}
If you use terraform-aws-modules/efs/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "efs" {
source = "terraform-aws-modules/efs/aws"
version = ">=2.0.0"
name = "abc123"
}
Use AWS provider resources directly. See docs for the resources involved: aws_efs_file_system.
resource "aws_efs_file_system" "this" {
encrypted = true
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
What this control checks
The aws_efs_file_system resource must have encrypted = true and kms_key_id set to the ARN of a customer-managed aws_kms_key. If encrypted is true but kms_key_id is omitted, AWS uses the default aws/elasticfilesystem service key, which fails this control. If encrypted is false or absent, the file system is unencrypted and also fails. To pass, declare an aws_kms_key resource (or reference an existing CMK ARN via data source) and assign its ARN to kms_key_id. A passing configuration pairs an aws_kms_key with a defined key policy with an aws_efs_file_system where encrypted = true and kms_key_id = aws_kms_key.efs.arn. The control verifies both arguments are present and that the referenced key is not an AWS-managed key.
Common pitfalls
Omitting kms_key_id still encrypts but fails the control
Setting
encrypted = truewithoutkms_key_idonaws_efs_file_systemcauses AWS to fall back to theaws/elasticfilesystemmanaged key. The file system is encrypted, so basic encryption checks pass, but this control specifically requires a CMK. Always setkms_key_idexplicitly.CMK key policy must grant EFS service permissions
aws_efs_file_systemcreation fails withAccessDeniedExceptionif theaws_kms_keykey policy does not grantkms:GenerateDataKey*andkms:Decryptto theelasticfilesystem.amazonaws.comservice principal (or the IAM role creating the file system). Write the key policy before the file system resource, not after.Cross-account CMK references require explicit grants
Referencing a CMK ARN from another account in
kms_key_idrequires a KMS grant or key policy statement that allows the EFS service in the target account. Without it,terraform plansucceeds butterraform applyfails during resource creation, which can be a confusing failure mode in multi-account pipelines.Encryption cannot be changed after creation
forces replacementin the Terraform plan is the first sign you have changedencryptedorkms_key_idon an existingaws_efs_file_system. That replacement destroys the file system and all its data. If you are remediating an unencrypted or default-key file system, have a DataSync or rsync migration plan ready before runningapply.KMS key rotation must be managed separately
A CMK satisfies this control, but if the key resource does not have
enable_key_rotation = true, you will likely fail the separatekms_cmk_rotation_enabledcontrol. These two controls are complementary. Wire both together in the same module.
Audit evidence
Auditors expect to see that all AWS::EFS::FileSystem resources are encrypted and use customer-managed KMS keys. Acceptable evidence includes custom AWS Config evaluations, Security Hub control outputs, or CSPM results that validate both Encrypted = true and a customer-managed KmsKeyId. Console screenshots of the EFS General settings page showing "Encrypted: Yes" and a CMK ARN (not alias aws/elasticfilesystem) are direct proof. CloudTrail CreateFileSystem events with the Encrypted and KmsKeyId parameters confirm encryption was set at creation time. For continuous assurance, Security Hub findings or a CSPM report filtered to this specific check cover all accounts and regions.
Framework-specific interpretation
NIST Cybersecurity Framework v2.0: PR.DS expects the organization to maintain control over cryptographic material protecting data at rest. A CMK satisfies that directly: you own the key policy, control the rotation schedule, and see every decrypt operation in CloudTrail. The AWS-managed default key provides none of that.
Related controls
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
efs_file_system_encrypted_with_cmkAWS Config Managed Rule:
EFS_FILESYSTEM_CT_ENCRYPTEDCheckov Check:
CKV_AWS_184Powerpipe Control:
aws_compliance.control.efs_file_system_encrypted_with_cmkProwler Check:
efs_encryption_at_rest_enabledAWS Security Hub Controls:
EFS.1,EFS.8KICS Query:
25d251f3-f348-4f95-845c-1090e41a615c
Last reviewed: 2026-03-09