Encryption of data at rest - FSx for ONTAP
How Amazon FSx uses Amazon KMSAmazon FSx key policies for Amazon KMS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encryption of data at rest

All Amazon FSx for NetApp ONTAP file systems are encrypted at rest with keys managed using Amazon Key Management Service (Amazon KMS). Data is automatically encrypted before being written to the file system, and automatically decrypted as it is read. These processes are handled transparently by Amazon FSx, so you don't have to modify your applications.

Amazon FSx uses an industry-standard AES-256 encryption algorithm to encrypt Amazon FSx data and metadata at rest. For more information, see Cryptography Basics in the Amazon Key Management Service Developer Guide.

Note

The Amazon key management infrastructure uses Federal Information Processing Standards (FIPS) 140-2 approved cryptographic algorithms. The infrastructure is consistent with National Institute of Standards and Technology (NIST) 800-57 recommendations.

How Amazon FSx uses Amazon KMS

Amazon FSx integrates with Amazon KMS for key management. Amazon FSx uses KMS keys to encrypt your file system. You choose the KMS key used to encrypt and decrypt file systems (both data and metadata). You can enable, disable, or revoke grants on this KMS key. This KMS key can be one of the two following types:

  • Amazon-managed KMS key – This is the default KMS key, and it's free to use.

  • Customer-managed KMS key – This is the most flexible KMS key to use, because you can configure its key policies and grants for multiple users or services. For more information on creating KMS keys, see Creating Keys in the Amazon Key Management Service Developer Guide.

Important

Amazon FSx accepts only symmetric encryption KMS keys. You can't use asymmetric KMS keys with Amazon FSx.

If you use a customer-managed KMS key as your KMS key for file data encryption and decryption, you can enable key rotation. When you enable key rotation, Amazon KMS automatically rotates your key once per year. Additionally, with a customer-managed KMS key, you can choose when to disable, re-enable, delete, or revoke access to your KMS key at any time. For more information, see Rotating Amazon KMS keys and Enabling and disabling keys in the Amazon Key Management Service Developer Guide.

Amazon FSx key policies for Amazon KMS

Key policies are the primary way to control access to KMS keys. For more information on key policies, see Using key policies in Amazon KMS in the Amazon Key Management Service Developer Guide. The following list describes all the Amazon KMS-related permissions supported by Amazon FSx for encrypted at rest file systems:

  • kms:Encrypt – (Optional) Encrypts plaintext into ciphertext. This permission is included in the default key policy.

  • kms:Decrypt – (Required) Decrypts ciphertext. Ciphertext is plain text that has been previously encrypted. This permission is included in the default key policy.

  • kms:ReEncrypt – (Optional) Encrypts data on the server side with a new Amazon KMS key, without exposing the plaintext of the data on the client side. The data is first decrypted and then re-encrypted. This permission is included in the default key policy.

  • kms:GenerateDataKeyWithoutPlaintext – (Required) Returns a data encryption key encrypted under a KMS key. This permission is included in the default key policy under kms:GenerateDataKey*.

  • kms:CreateGrant – (Required) Adds a grant to a key to specify who can use the key and under what conditions. Grants are alternate permission mechanisms to key policies. For more information on grants, see Using Grants in the Amazon Key Management Service Developer Guide. This permission is included in the default key policy.

  • kms:DescribeKey – (Required) Provides detailed information about the specified KMS key. This permission is included in the default key policy.

  • kms:ListAliases – (Optional) Lists all of the key aliases in the account. When you use the console to create an encrypted file system, this permission populates the list of KMS keys. We recommend using this permission to provide the best user experience. This permission is included in the default key policy.