Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encryption

S3 Files provides comprehensive encryption capabilities to protect your data both at rest and in transit.

Encryption at rest

Your S3 bucket is encrypted using Amazon S3's encryption mechanisms. For information on encryption of data in S3, see Protecting data with encryption.

S3 Files encrypts data at rest in the S3 file system using server-side encryption. Server-side encryption is the encryption of data at its destination by the application or service that receives it. In S3 file systems, data and metadata are encrypted by default before being written to storage and are automatically decrypted when read. These processes are handled transparently by S3 Files, so you don't need to modify your applications. All data at rest in the file system is encrypted using Amazon Key Management Service (KMS) keys using one of the following methods:

There are additional charges for using Amazon KMS keys. For more information, see Amazon KMS key concepts in the Amazon Key Management Service Developer Guide and Amazon KMS pricing.

Server-side encryption with Amazon owned KMS keys (SSE-KMS)

This is the default key for encrypting data at rest in your S3 file system. Amazon owned keys are a collection of KMS keys that an Amazon service owns and manages. S3 Files owns and manages encryption of your data and metadata at rest in your S3 file system when you use an Amazon owned key. For more details on Amazon owned keys, visit Amazon KMS keys.

Server-side encryption with customer managed Amazon KMS keys (SSE-KMS-CMK)

While creating your file system, you can choose to configure an Amazon Key Management Service (Amazon KMS) key that you manage. When you use SSE-KMS encryption with an S3 file system the Amazon KMS keys must be in the same Region as the file system.

S3 Files key policies for Amazon KMS

Key policies are the primary way to control access to customer managed keys. For more information on key policies, see Key policies in Amazon KMS in the Amazon Key Management Service Developer Guide. The following list describes all the Amazon KMS–related permissions that are supported by S3 Files for encrypting file systems at rest:

Key states and their effects

The state of your KMS key directly affects access to your encrypted file system:

Encryption in transit

S3 Files requires encryption of data in transit using Transport Layer Security (TLS). When you mount your file system using the mount helper, all data traveling between your client and the file system is encrypted using TLS. The mount helper initializes efs-proxy process to establish a secure TLS connection with your file system. The mount helper also creates a process called amazon-efs-mount-watchdog that monitors the health of mounts, and is started automatically the first time an S3 file system is mounted. It ensures that each mount's efs-proxy process is running, and stops the process when the file system is unmounted. If for some reason the process is terminated unexpectedly, the watchdog process restarts it.

The following describes how TLS encryption in transit works:

Encryption of data in transit changes your NFS client setup. When you inspect your actively mounted file systems, you see one mounted to 127.0.0.1, or localhost, as in the following example.

$ mount | column -t
127.0.0.1:/  on  /home/ec2-user/s3files        type  nfs4         (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=20127,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1)

You mount your file system using the mount helper, which always encrypts data in transit using TLS. Therefore, while mounting, your NFS client is reconfigured to mount to a local port.