# Step 1: Evidence Details

|System|Source of data|
|---|---|
|kubernetes, aws|compliancecow|

```
Purpose: The purpose of this control is to ensure that production databases are encrypted.
```
```

RecomendedEvidenceName: AWSEFSEncryptionReport
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

In [None]:
# Kubernetes volume

{
        "System": "kubernetes",
        "Source": "compliancecow",
        "ResourceID": "b710298e-b204-4098-aa29-vafevasdr",
        "ResourceName": "testvolume",
        "ResourceType": "PersistentVolume",
        "Version": "84988188",
        "CreatedDateTime": "2024-06-29T07:39:18Z",
        "Storage": "1Gi",
        "ClaimName": "testvolume-pvc",
        "ClaimNameSpace": "test",
        "ClaimID": "",
        "AccessModes": [
            "ReadWriteMany"
        ],
        "VolumeHandle": "fs-024255135fc0b769d0::fsap-05f5f9kvnasco",
        "ClusterName": "cluster-test"
}

# AWS EFS

{
        "System": "aws",
        "Source": "compliancecow",
        "ResourceID": "fs-024255135fc0b769d0",
        "ResourceName": "test-efs",
        "ResourceType": "Elastic File System",
        "ResourceURL": "https://us-west-2.console.aws.amazon.com/efs/home?region=us-west-2#/file-systems/fs-024255135fc0b769d0",
        "Account": "012345678",
        "NumberOfMountTargets": 2,
        "SizeInBytes": 15743498240,
        "CreatedDateTime": "2023-10-05T06:49:03.000000Z",
        "IsEncrypted": true,
        "KmsKeyID": "vcsdkvkj34-a82e-4fda-95fd-9315c861e507",
        "KeyManager": "AWS",
        "KeyRotationEnabled": true,
        "KeyLastRotationDate": "2024-01-18T23:02:02.299000Z",
        "KeyNextRotationDate": "2025-01-17T23:02:02.299000Z"
}



# Step 3: Define the Standard Schema
  


In [None]:
{
        "System": "aws, kubernetes",
        "Source": "compliancecow",
        "ResourceID": "fs-024255135fc0b769d0",
        "ResourceName": "test-efs",
        "ResourceType": "AWS - Elastic File System",
        "ResourceURL": "https://us-west-2.console.aws.amazon.com/efs/home?region=us-west-2#/file-systems/fs-024255135fc0b769d0",
        "CreatedDateTime": "2024-06-29T07:18:48.000000Z",
        "IsEncrypted": true,
        "KmsKeyID": "vcsdkvkj34-a82e-4fda-95fd-9315c861e507",
        "KeyManager": "AWS",
        "KeyLastRotationDate": "2024-01-18T23:02:02.299000Z",
        "K8sClusterName": "cluster-test",
        "K8sVolume": "testvolume",
        "K8sVolumeID": "b710298e-b204-4098-aa29-vafevasdr",
        "K8sVolumeClaim": "testvolume-pvc",
        "K8sNamespace": "test",
        "ValidationStatusCode": "EFS_ENCR",
        "ValidationStatusNotes": "Elastic File System is encrypted",
        "ComplianceStatus": "COMPLIANT",
        "ComplianceStatusReason": "The record is compliant as the EFS 'test-efs' is encrypted. Encrypting volumes in Kubernetes enhances data security and ensuring compliance with regulatory standards without compromising performance or scalability.",
        "EvaluatedTime": "2024-07-01T10:27:46.924635Z",
        "UserAction": "",
        "ActionStatus": "",
        "ActionResponseURL": ""
  }

# Step 3.a: Sample Data

| System          | Source          | ResourceID               | ResourceName | ResourceType               | ResourceURL                                                                                                        | CreatedDateTime              | IsEncrypted | KmsKeyID                                | KeyManager | KeyLastRotationDate        | K8sClusterName | K8sVolume  | K8sVolumeID                    | K8sVolumeClaim  | K8sNamespace | ValidationStatusCode | ValidationStatusNotes          | ComplianceStatus | ComplianceStatusReason                                                                                                           | EvaluatedTime              | UserAction | ActionStatus | ActionResponseURL |
|-----------------|-----------------|--------------------------|--------------|----------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------|-------------|------------------------------------------|------------|-----------------------------|----------------|------------|--------------------------------|-----------------|--------------|----------------------|--------------------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------|------------|--------------|-------------------|
| aws, kubernetes | compliancecow   | fs-024255135fc0b769d0    | test-efs     | AWS - Elastic File System  | [https://us-west-2.console.aws.amazon.com/efs/home?region=us-west-2#/file-systems/fs-024255135fc0b769d0](https://us-west-2.console.aws.amazon.com/efs/home?region=us-west-2#/file-systems/fs-024255135fc0b769d0) | 2024-06-29T07:18:48.000000Z | True        | vcsdkvkj34-a82e-4fda-95fd-9315c861e507 | AWS        | 2024-01-18T23:02:02.299000Z | cluster-test   | testvolume | b710298e-b204-4098-aa29-vafevasdr | testvolume-pvc  | test         | EFS_ENCR             | Elastic File System is encrypted | COMPLIANT        | The record is compliant as the EFS 'test-efs' is encrypted. Encrypting volumes in Kubernetes enhances data security and ensuring compliance with regulatory standards without compromising performance or scalability. | 2024-07-01T10:27:46.924635Z |            |              |                   |


# Step 4: Describe the Compliance Taxonomy

| ResourceName	| IsEncrypted	 | ValidationStatusCode | ValidationStatusNotes| ComplianceStatus | ComplianceStatusReason |
|---------|---------|----------------|----------------|----------------------|-------------------------------------------------------------------|
|test-efs|true   | EFS_ENCR             | Elastic File System is encrypted | COMPLIANT        | The record is compliant as the EFS 'test-efs' is encrypted. Encrypting volumes in Kubernetes enhances data security and ensuring compliance with regulatory standards without compromising performance or scalability. |
|test-efs1|false   | EFS_NOT_ENCR             | Elastic File System is not encrypted | NON_COMPLIANT        | The record is not compliant as the EFS 'test-efs1' is not encrypted. Not encrypting volumes in Kubernetes exposes sensitive data to unauthorized access and potential breaches, while risking non-compliance with regulatory standards and legal consequences. |

# Step 5: Calculation for Compliance Percentage and Status


In [None]:
# Calculation of Compliance Percentage

TotalRecordCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
FailedRecordCount = Count of 'NON_COMPLIANT' records

CompliancePCT = int(100 - ((FailedRecordCount * 100) / TotalRecordCount))

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

Remediation notes:

1. Log in to the AWS Management Console:
◦ Access the
AWS Management Console
and log in.
2. Navigate to the Amazon EFS Service:
◦ Click on "Services" and select "EFS" under "Storage".
3. Create a New Encrypted EFS File System:
◦ Click on "Create file system" and configure a new EFS file system with encryption enabled (choose AWS Managed CMK or Customer Managed CMK).
4. Copy Data to the New Encrypted EFS File System:
◦ Mount the new encrypted EFS file system to your Kubernetes cluster or EC2 instances.
◦ Transfer existing data from the old EFS file system to the new encrypted EFS file system using tools like rsync.
5. Update Configurations:
◦ Update any references or configurations in your Kubernetes cluster or applications to point to the new encrypted EFS file system.
By following these steps, you can securely transition to a new encrypted EFS file system for your Kubernetes cluster, enhancing data security

# 7. Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               |    AWSEFSEncryptionReport |
| **ApplicationClassName**   |    Kubernetes, AWSAppConnector            |