Inventory file systems and check the Encrypted attribute with describe-file-systems. Because encryption is immutable, create a new encrypted file system with a KMS key. Migrate data with AWS DataSync to cut over without an outage. Repoint mount targets and clients, then delete the old file system, and set a Config rule to catch regressions.

Compliance Medium severity

AWS Security Hub · EFS

EFS.1: EFS data is not encrypted at rest

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub EFS.1 check?

EFS.1 checks whether an EFS file system is encrypted at rest with a KMS key. It reports FAILED when the file system was created without encryption enabled.

Why does EFS.1 matter?

An unencrypted EFS file system stores its data in plaintext on AWS-managed disks, leaving it outside the KMS control plane — no audit of decrypts, no key-based revocation. For shared file storage that often holds application data and uploads, that is a meaningful gap an auditor will flag.

How do I fix EFS.1?

Inventory file systems and check the Encrypted attribute with describe-file-systems.
Because encryption is immutable, create a new encrypted file system with a KMS key.
Migrate data with AWS DataSync to cut over without an outage.
Repoint mount targets and clients, then delete the old file system, and set a Config rule to catch regressions.

Remediation script · bash

# 1. Flip the EBS default across every enabled region (idempotent, free, new volumes only).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  aws ec2 enable-ebs-encryption-by-default --region "$region" >/dev/null
  echo "$region: EBS default encryption on"
done

# 2. Inventory the immutable storage that needs migrating.
aws efs describe-file-systems \
  --query 'FileSystems[?Encrypted==`false`].[FileSystemId,Name,SizeInBytes.Value]' --output table
aws workspaces describe-workspaces \
  --query 'Workspaces[?RootVolumeEncryptionEnabled==`false`].[WorkspaceId,UserName]' --output table

# 3. Create an encrypted EFS replacement (then migrate data with AWS DataSync, cut over, delete source).
aws efs create-file-system --encrypted \
  --kms-key-id alias/storage-encryption \
  --performance-mode generalPurpose --throughput-mode elastic

# 4. Confirm the default holds, then back it with a Config rule and an SCP.
aws ec2 get-ebs-encryption-by-default --query 'EbsEncryptionByDefault'

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt EBS and EFS storage at rest.

Is EFS.1 a false positive?

The encryption flag cannot be turned on in place — fixing EFS.1 always means creating an encrypted file system and migrating, not editing the existing one.

Full lesson Encrypt EBS and EFS storage at rest Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for EFS controls ↗ Check your own account for EFS.1 →

Part of the learning path Encrypt everything

EFS.2 EFS has no automatic backups
EFS.3 EFS access points should enforce a root directory
EFS.4 EFS access points should enforce a user identity
EFS.6 Mount targets not in public-IP subnets
EFS.7 EFS file systems should have automatic backups
EFS.8 EFS file systems should be encrypted at rest