Configuration update for Amazon EFS encryption of data in transit

Posted on: Jul 23, 2019

We’ve updated the default configuration for the Amazon Elastic File System (Amazon EFS) mount helper package when using encryption of data in transit. Starting today, use of the Online Certificate Status Protocol (OCSP) is not enabled by default. 

The Amazon EFS mount helper provides the option to encrypt data in transit for EFS file systems using Transport Layer Security version 1.2 (TLS v1.2). EFS uses an Amazon certificate authority (CA) to issue and sign its TLS certificates, as well as to check for certificate revocation using OCSP. The OCSP endpoint must be accessible over the Internet from your Virtual Private Cloud (VPC) in order to check for certificate revocation. To maximize file system availability in the event that the CA is not reachable from your VPC, the EFS mount helper no longer enables OCSP by default. Within the service, EFS continuously monitors for certificate revocation status and will issue new certificates if a revoked certificate is detected. 

You can still choose to enable OCSP to have your clients check for revoked certificates, providing the strongest possible security. OCSP protects against malicious use of revoked certificates, which is unlikely to occur within your VPC. In the event that an EFS TLS certificate is revoked, Amazon will publish a security bulletin and make a new version of the EFS mount helper available that explicitly rejects the revoked certificate.  This will require you to update the EFS mount helper manually.

The updated EFS mount helper is available within Amazon Linux and Amazon Linux 2 AMIs, and can also be found on GitHub. To get started with the Amazon EFS mount helper and EFS encryption of data in transit, see the documentation.