Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing access to encrypted file systems

Using Amazon EFS, you can create encrypted file systems. Amazon EFS supports two forms of encryption for file systems, encryption in transit and encryption at rest. Any key management that you need to perform is related only to encryption at rest. Amazon EFS automatically manages the keys for encryption in transit.

If you create a file system that uses encryption at rest, data and metadata are encrypted at rest. Amazon EFS uses Amazon Key Management Service (Amazon KMS) for key management. When you create a file system using encryption at rest, you specify an Amazon KMS key. The KMS key can be aws/elasticfilesystem (the Amazon managed key for Amazon EFS), or it can be a customer managed key that you manage.

File data—the contents of your files—is encrypted at rest using the KMS key that you specified when you created your file system. Metadata—file names, directory names, and directory contents—is encrypted using a key that Amazon EFS manages.

The EFS Amazon managed key for your file system is used as the KMS key for encrypting the metadata in your file system, for example file names, directory names, and directory contents. You own the customer managed key used to encrypt file data (the contents of your files) at rest.

You manage who has access to your KMS keys and the contents of your encrypted file systems. This access is controlled by both Amazon Identity and Access Management (IAM) policies and Amazon KMS. IAM policies control a user's access to Amazon EFS API actions. Amazon KMS key policies control a user's access to the KMS key that you specified when the file system was created. For more information, see the following:

As a key administrator, you can import external keys. You can also modify keys by enabling them, disabling them, or deleting them. The state of the KMS key that you specified (when you created the file system with encryption at rest) affects access to its contents. The KMS key must be in the enabled state for users to have access to the contents of an encrypted-at-rest file system that is encrypted using that key.

Performing administrative actions on Amazon EFS KMS keys

Following, you can find how to enable, disable, or delete the KMS keys associated with your Amazon EFS file system. You can also learn about the behavior to expect from your file system when you perform these actions.

Disabling, deleting, or revoking access to the KMS key for a file system

You can disable or delete your customer managed KMS keys, or you can revoke Amazon EFS access to your KMS keys. Disabling and revoking access for Amazon EFS to your keys are reversible actions. Exercise significant caution when deleting KMS keys. Deleting a KMS key is an irreversible action.

If you disable or delete the KMS key used for your mounted file system, the following is true:

If you revoke Amazon EFS access to a grant for any existing mounted file system, the behavior is the same as if you disabled or deleted the associated KMS key. In other words, the encrypted-at-rest file system continues to function, but stops working after a period of time.

You can prevent access to a mounted encrypted-at-rest file system that has a KMS key that you disabled, deleted, or revoked Amazon EFS access to. To do this, unmount the file system and delete your Amazon EFS mount targets.

You can't immediately delete an Amazon KMS key, but you can schedule it for deletion in 7-30 days. While a KMS key is scheduled for deletion, you can't use it for cryptographic operations. You can also cancel a KMS key's scheduled deletion.

To learn how to disable and re-enable customer managed KMS keys, see Enabling and disabling keys in the Amazon Key Management Service Developer Guide. To learn how to schedule deletion of customer managed KMS keys, see Deleting KMS keys in the Amazon Key Management Service Developer Guide.