Managing access to encrypted file systems
Using Amazon EFS, you can create encrypted file systems. Amazon EFS supports two forms of encryption for file systems, encryption in transit and encryption at rest. Any key management that you need to perform is related only to encryption at rest. Amazon EFS automatically manages the keys for encryption in transit.
If you create a file system that uses encryption at rest, data and metadata are encrypted
at rest. Amazon EFS uses Amazon Key Management Service (Amazon KMS) for key management. When you create a file system using
encryption at rest, you specify an Amazon KMS key. The KMS key can be
aws/elasticfilesystem
(the Amazon managed key for Amazon EFS), or it can be a
customer managed key that you manage.
File data—the contents of your files—is encrypted at rest using the KMS key that you specified when you created your file system. Metadata—file names, directory names, and directory contents—is encrypted using a key that Amazon EFS manages.
The EFS Amazon managed key for your file system is used as the KMS key for encrypting the metadata in your file system, for example file names, directory names, and directory contents. You own the customer managed key used to encrypt file data (the contents of your files) at rest.
You manage who has access to your KMS keys and the contents of your encrypted file systems. This access is controlled by both Amazon Identity and Access Management (IAM) policies and Amazon KMS. IAM policies control a user's access to Amazon EFS API actions. Amazon KMS key policies control a user's access to the KMS key that you specified when the file system was created. For more information, see the following:
-
IAM Users in the IAM User Guide
-
Using key policies in Amazon KMS in the Amazon Key Management Service Developer Guide
-
Using grants in the Amazon Key Management Service Developer Guide.
As a key administrator, you can import external keys. You can also modify keys by enabling
them, disabling them, or deleting them. The state of the KMS key that you specified (when you
created the file system with encryption at rest) affects access to its contents. The KMS key must
be in the enabled
state for users to have access to the contents of an
encrypted-at-rest file system that is encrypted using that key.