Managing access to encrypted file systems - Amazon Elastic File System
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing access to encrypted file systems

Using Amazon EFS, you can create encrypted file systems. Amazon EFS supports two forms of encryption for file systems, encryption in transit and encryption at rest. Any key management that you need to perform is related only to encryption at rest. Amazon EFS automatically manages the keys for encryption in transit.

If you create a file system that uses encryption at rest, data and metadata are encrypted at rest. Amazon EFS uses Amazon Key Management Service (Amazon KMS) for key management. When you create a file system using encryption at rest, you specify an Amazon KMS key. The KMS key can be aws/elasticfilesystem (the Amazon managed key for Amazon EFS), or it can be a customer managed key that you manage.

File data—the contents of your files—is encrypted at rest using the KMS key that you specified when you created your file system. Metadata—file names, directory names, and directory contents—is encrypted using a key that Amazon EFS manages.

The EFS Amazon managed key for your file system is used as the KMS key for encrypting the metadata in your file system, for example file names, directory names, and directory contents. You own the customer managed key used to encrypt file data (the contents of your files) at rest.

You manage who has access to your KMS keys and the contents of your encrypted file systems. This access is controlled by both Amazon Identity and Access Management (IAM) policies and Amazon KMS. IAM policies control a user's access to Amazon EFS API actions. Amazon KMS key policies control a user's access to the KMS key that you specified when the file system was created. For more information, see the following:

As a key administrator, you can import external keys. You can also modify keys by enabling them, disabling them, or deleting them. The state of the KMS key that you specified (when you created the file system with encryption at rest) affects access to its contents. The KMS key must be in the enabled state for users to have access to the contents of an encrypted-at-rest file system that is encrypted using that key.