Audit file systems for the Encrypted attribute with describe-file-systems. Because the flag is fixed at creation, build an encrypted twin file system with a KMS key. Migrate data with AWS DataSync, repoint mount targets and clients, then delete the unencrypted original. Enable the account-level encryptByDefault setting plus an SCP and Config rule so the finding cannot recur.

Compliance Medium severity

AWS Security Hub · EFS

EFS.8: EFS file systems should be encrypted at rest

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub EFS.8 check?

EFS.8 checks whether an EFS file system is encrypted at rest with KMS. It reports FAILED when the file system was created without encryption, the same condition as its sibling control EFS.1.

Why does EFS.8 matter?

An unencrypted file system keeps its data outside the KMS boundary, so there is no key policy governing access and no CloudTrail record of decrypts. For shared storage that frequently holds sensitive application data, that is exactly the kind of gap a compliance audit fails you on.

How do I fix EFS.8?

Audit file systems for the Encrypted attribute with describe-file-systems.
Because the flag is fixed at creation, build an encrypted twin file system with a KMS key.
Migrate data with AWS DataSync, repoint mount targets and clients, then delete the unencrypted original.
Enable the account-level encryptByDefault setting plus an SCP and Config rule so the finding cannot recur.

Remediation script · bash

# 1. Flip the EBS default across every enabled region (idempotent, free, new volumes only).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  aws ec2 enable-ebs-encryption-by-default --region "$region" >/dev/null
  echo "$region: EBS default encryption on"
done

# 2. Inventory the immutable storage that needs migrating.
aws efs describe-file-systems \
  --query 'FileSystems[?Encrypted==`false`].[FileSystemId,Name,SizeInBytes.Value]' --output table
aws workspaces describe-workspaces \
  --query 'Workspaces[?RootVolumeEncryptionEnabled==`false`].[WorkspaceId,UserName]' --output table

# 3. Create an encrypted EFS replacement (then migrate data with AWS DataSync, cut over, delete source).
aws efs create-file-system --encrypted \
  --kms-key-id alias/storage-encryption \
  --performance-mode generalPurpose --throughput-mode elastic

# 4. Confirm the default holds, then back it with a Config rule and an SCP.
aws ec2 get-ebs-encryption-by-default --query 'EbsEncryptionByDefault'

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt EBS and EFS storage at rest.

Is EFS.8 a false positive?

Encryption can never be turned on in place — like EFS.1, the only fix is build-encrypted-and-migrate.

Full lesson Encrypt EBS and EFS storage at rest Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for EFS controls ↗ Check your own account for EFS.8 →

Part of the learning path Encrypt everything

EFS.1 EFS data is not encrypted at rest
EFS.2 EFS has no automatic backups
EFS.3 EFS access points should enforce a root directory
EFS.4 EFS access points should enforce a user identity
EFS.6 Mount targets not in public-IP subnets
EFS.7 EFS file systems should have automatic backups