Encrypting data at rest
Encryption at rest encrypts data stored on your EFS file system. This helps you meet compliance requirements and protect sensitive data from unauthorized access. Your organization might require encryption of all data that meets a specific classification or is associated with a particular application, workload, or environment.
Note
The Amazon key management infrastructure uses Federal Information Processing Standards (FIPS) 140-3 approved cryptographic algorithms. The infrastructure is consistent with National Institute of Standards and Technology (NIST) 800-57 recommendations.
When you create a file system using the Amazon EFS console, encryption at rest is enabled by default. When using the Amazon CLI, API, or SDKs to create a file system, you must explicity enable encryption.
After you create an EFS file system, you cannot change its encryption
setting. This means that you cannot modify an unencrypted file system to make it encrypted.
Instead, replicate the file system to copy data from
the unencrypted file system to a new encrypted file system. For more information, see How do I turn on
encryption at rest for an existing EFS file system?
How encryption at rest works
In an encrypted file system, data and metadata are encrypted by default before being written to storage and are automatically decrypted when read. These processes are handled transparently by Amazon EFS, so you don't need to modify your applications.
Amazon EFS uses Amazon KMS for key management as follows:
-
File data encryption – The contents of your files are encrypted using the KMS key that you specify. This can be either:
-
The Amazon owned key for Amazon EFS (
aws/elasticfilesystem) – Default option, no additional charges. -
A customer managed key that you create and manage – Provides additional control and audit capabilities.
-
-
Metadata encryption - File names, directory names, and directory contents are encrypted using a key that Amazon EFS manages internally.
Encryption process
When a file system is created or rerplicated to a file system in the same account,
Amazon EFS uses a Forward Access Session
(FAS) to make KMS calls using the caller's credentials. In CloudTrail logs, the
kms:CreateGrant call appears to be made by the same user identity that
created the file system or replication. You can identify Amazon EFS service calls in CloudTrail by
looking for the invokedBy field with the value
elasticfilesystem.amazonaws.com. The resource policy on the KMS key must
allow the CreateGrant action for FAS to make the call.
Important
You manage control of the grant, and can revoke it at any time. Revoking the grant prevents Amazon EFS from accessing the KMS key for future operations. For more information, see Retiring and revoking grants in the Amazon Key Management Service Developer Guide..
When using customer managed KMS keys, the resource policy must also allow the Amazon EFS
service principal and include the kms:ViaService condition to restrict access
to the specific service endpoint. For example:
"kms:ViaService": "elasticfilesystem.us-east-2.amazonaws.com"
Amazon EFS uses industry-standard AES-256 encryption algorithm to encrypt data and metadata at rest.
For more information about KMS key policies for Amazon EFS, see Using Amazon KMS keys for Amazon EFS.
Enforcing encryption at rest for new file systems
You can use the elasticfilesystem:Encrypted IAM condition key in
Amazon Identity and Access Management (IAM) identity-based policies to enforce creation at rest when users create
EFS file systems. For more information about using the condition key, see Example: Enforce the creation
of encrypted file systems.
You can also define service control policies (SCPs) inside Amazon Organizations to enforce Amazon EFS encryption for all Amazon Web Services accounts in your organization. For more information about service control policies in Amazon Organizations, see Service control policies in the Amazon Organizations User Guide.