Encrypting data at rest - Amazon Elastic File System
Enforcing the creation of Amazon EFS file systems encrypted at restEncrypting a file system at rest using the consoleHow encryption at rest works
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypting data at rest

You can create encrypted file systems using the Amazon Web Services Management Console, the Amazon CLI, or programmatically through the Amazon EFS API or one of the Amazon SDKs. Your organization might require the encryption of all data that meets a specific classification or is associated with a particular application, workload, or environment.

Once you create an EFS file system, you cannot change its encryption setting. This means that you cannot modify an unencrypted file system to make it encrypted. Instead, you need to create a new, encrypted file system.

Note

The Amazon key management infrastructure uses Federal Information Processing Standards (FIPS) 140-2 approved cryptographic algorithms. The infrastructure is consistent with National Institute of Standards and Technology (NIST) 800-57 recommendations.

Enforcing the creation of Amazon EFS file systems encrypted at rest

You can use the elasticfilesystem:Encrypted IAM condition key in Amazon Identity and Access Management (IAM) identity-based policies to control whether users can create Amazon EFS file systems that are encrypted at rest. For more information about using the condition key, see Example: Enforce the creation of encrypted file systems.

You can also define service control policies (SCPs) inside Amazon Organizations to enforce EFS encryption for all Amazon Web Services accounts in your organization. For more information about service control policies in Amazon Organizations, see Service control policies in the Amazon Organizations User Guide.

Encrypting a file system at rest using the console

When you create a new file system using the Amazon EFS console, encryption at rest is enabled by default. The following procedure describes how to enable encryption for a new file system when you create it from the console.

Note

Encryption at rest is not enabled by default when creating a new file system using the Amazon CLI, API, and SDKs. For more information, see Create a file system (Amazon CLI).

To encrypt a new file system using the EFS console

  1. Open the Amazon Elastic File System console at https://console.amazonaws.cn/efs/.

  2. Choose Create file system to open the Create file system dialog box.

  3. (Optional) Enter a Name for your file system.

  4. For Virtual Private Cloud (VPC), choose your VPC, or keep it set to your default VPC.

  5. Choose Create to create a file system that uses the following service recommended settings:

    • Encryption of data at rest enabled using your default Amazon KMS key for Amazon EFS (aws/elasticfilesystem).

    • Automatic backups turned on – For more information, see Backing up EFS file systems.

    • Mount targets – Amazon EFS creates mount targets with the following settings:

      • Located in each Availability Zone in the Amazon Web Services Region where the file system is created.

      • Located in the default subnets of the VPC that you selected.

      • Use the VPC's default security group. You can manage security groups after the file system is created.

      For more information, see Managing mount targets.

    • General Purpose performance mode – For more information, see Performance modes.

    • Elastic throughput mode – For more information, see Throughput modes.

    • Lifecycle management enabled with a 30-day policy – For more information, see Managing file system storage.

  6. The File systems page appears with a banner across the top showing the status of the file system you created. A link to access the file system details page appears in the banner when the file system becomes available.

You now have a new encrypted-at-rest file system.

How encryption at rest works

In an encrypted file system, data and metadata are automatically encrypted before being written to the file system. Similarly, as data and metadata are read, they are automatically decrypted before being presented to the application. These processes are handled transparently by Amazon EFS, so you don't have to modify your applications.

Amazon EFS uses industry-standard AES-256 encryption algorithm to encrypt EFS data and metadata at rest. For more information, see Cryptography basics in the Amazon Key Management Service Developer Guide.

How Amazon EFS uses Amazon KMS

Amazon EFS integrates with Amazon Key Management Service (Amazon KMS) for key management. Amazon EFS uses customer managed keys to encrypt your file system in the following way:

  • Encrypting metadata at rest – Amazon EFS uses the Amazon managed key for Amazon EFS, aws/elasticfilesystem, to encrypt and decrypt file system metadata (that is, file names, directory names, and directory contents).

  • Encrypting file data at rest – You choose the customer managed key used to encrypt and decrypt file data (that is, the contents of your files). You can enable, disable, or revoke grants on this customer managed key. This customer managed key can be one of the two following types:

    • Amazon managed key for Amazon EFS – This is the default customer managed key, aws/elasticfilesystem. You're not charged to create and store a customer managed key, but there are usage charges. To learn more, see Amazon Key Management Service pricing.

    • Customer managed key – This is the most flexible KMS key to use, because you can configure its key policies and grants for multiple users or services. For more information on creating customer managed keys, see Creating keys in the Amazon Key Management Service Developer Guide.

      If you use a customer managed key for file data encryption and decryption, you can enable key rotation. When you enable key rotation, Amazon KMS automatically rotates your key once per year. Additionally, with a customer managed key, you can choose when to disable, re-enable, delete, or revoke access to your customer managed key at any time. For more information, see Managing access to encrypted file systems.

Important

Amazon EFS accepts only symmetric customer managed keys. You cannot use asymmetric customer managed keys with Amazon EFS.

Data encryption and decryption at rest are handled transparently. However, Amazon account IDs specific to Amazon EFS appear in your Amazon CloudTrail logs related to Amazon KMS actions. For more information, see Amazon EFS log file entries for encrypted-at-rest file systems.

Amazon EFS key policies for Amazon KMS

Key policies are the primary way to control access to customer managed keys. For more information on key policies, see Key policies in Amazon KMS in the Amazon Key Management Service Developer Guide. The following list describes all the Amazon KMS–related permissions that are required or otherwise supported by Amazon EFS for encrypted at rest file systems:

  • kms:Encrypt – (Optional) Encrypts plaintext into ciphertext. This permission is included in the default key policy.

  • kms:Decrypt – (Required) Decrypts ciphertext. Ciphertext is plaintext that has been previously encrypted. This permission is included in the default key policy.

  • kms:ReEncrypt – (Optional) Encrypts data on the server side with a new customer managed key, without exposing the plaintext of the data on the client side. The data is first decrypted and then re-encrypted. This permission is included in the default key policy.

  • kms:GenerateDataKeyWithoutPlaintext – (Required) Returns a data encryption key encrypted under a customer managed key. This permission is included in the default key policy under kms:GenerateDataKey*.

  • kms:CreateGrant – (Required) Adds a grant to a key to specify who can use the key and under what conditions. Grants are alternate permission mechanisms to key policies. For more information on grants, see Using Grants in the Amazon Key Management Service Developer Guide. This permission is included in the default key policy.

  • kms:DescribeKey – (Required) Provides detailed information about the specified customer managed key. This permission is included in the default key policy.

  • kms:ListAliases – (Optional) Lists all of the key aliases in the account. When you use the console to create an encrypted file system, this permission populates the Select KMS key list. We recommend using this permission to provide the best user experience. This permission is included in the default key policy.

Amazon managed key for Amazon EFS KMS policy

The KMS policy JSON for the Amazon managed key for Amazon EFS, aws/elasticfilesystem is as follows:

{
    "Version": "2012-10-17",
    "Id": "auto-elasticfilesystem-1",
    "Statement": [
        {
            "Sid": "Allow access to EFS for all principals in the account that are authorized to use EFS",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:CreateGrant",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "elasticfilesystem.us-east-2.amazonaws.com",
                    "kms:CallerAccount": "111122223333"
                }
            }
        },
        {
            "Sid": "Allow direct access to key metadata to the account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": [
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "kms:RevokeGrant"
            ],
            "Resource": "*"
        }
    ]
}