Encrypt objects stored by File Gateway in Amazon S3 - Amazon Storage Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon FSx File Gateway documentation has been moved to What is Amazon FSx File Gateway?

Volume Gateway documentation has been moved to What is Volume Gateway?

Tape Gateway documentation has been moved to What is Tape Gateway?

Encrypt objects stored by File Gateway in Amazon S3

You can use Amazon Key Management Service (Amazon KMS) to encrypt objects that your File Gateway stores in Amazon S3. To do this using the Storage Gateway console, see Create an NFS file share with a custom configuration or Create an SMB file share with a custom configuration. You can also do this by using the Storage Gateway API. For instructions, see CreateNFSFileShare or CreateSMBFileShare in the Amazon Storage Gateway API Reference.

By default, a File Gateway uses server-side encryption managed with Amazon S3 (SSE-S3) when it writes data to an S3 bucket. If you make SSE-KMS (server-side encryption with Amazon KMS–managed keys) the default encryption for your S3 bucket, objects that a File Gateway stores there are encrypted using SSE-KMS.

To encrypt using SSE-KMS with your own Amazon KMS key, you must turn on SSE-KMS encryption. When you do so, provide the Amazon Resource Name (ARN) of the KMS key when you create your file share. You can also update KMS settings for your file share by using the UpdateNFSFileShare or UpdateSMBFileShare API operation. This update applies to objects stored in the Amazon S3 buckets after the update.

If you configure your File Gateway to use SSE-KMS for encryption, you must manually add kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey, and kms:DescribeKey permissions to the IAM role associated with the file share. For more information, see Using Identity-Based Policies (IAM Policies) for Storage Gateway.