Basic Concepts and Terminology

This section defines concepts and terminology referenced in this whitepaper.

Amazon Elastic File System (Amazon EFS) – A highly available and highly durable service that provides simple, scalable, shared file storage in the AWS Cloud. Amazon EFS provides a standard file system interface and file system semantics. You can store virtually an unlimited amount of data across an unconstrained number of storage servers in multiple Availability Zones.
AWS Identity and Access Management (IAM) – A service that enables you to securely control fine-grained access to AWS service APIs. Policies are created and used to limit access to individual users, groups, and roles. You can manage your AWS KMS keys through the IAM console.
AWS KMS – A managed service that makes it easy for you to create and control KMS keys (formerly CMKs), the encryption keys used to encrypt your data. KMS keys are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions. AWS KMS is integrated with other AWS services that encrypt your data. It is also fully integrated with AWS CloudTrail to provide logs of API calls made by AWS KMS on your behalf, which can be helpful for meeting compliance or regulatory requirements applicable to your organization.
KMS key (formerly CMK) – Represents the top of your key hierarchy. It contains key material to encrypt and decrypt data. AWS KMS can generate this key material, or you can generate it and then import it into AWS KMS. KMS keys are specific to an AWS account and AWS Region and can be customer-managed or AWS-managed.
AWS KMS key (formerly AWS-managed CMK) – A KMS key that is generated by AWS on your behalf. An AWS KMS key is created when you enable encryption for a resource of an integrated AWS service. AWS KMS key policies are managed by AWS and you cannot change them. There is no charge for the creation or storage of AWS KMS keys.
Customer-managed KMS key – A KMS key you create by using the AWS Management Console or API, AWS CLI, or SDKs. You can use a customer-managed KMS key when you need more granular control over the CMK.
KMS Key Policy – A resource policy that controls access to a customer managed KMS key. Customers define these permissions using the key policy or a combination of IAM policies and the key policy. For more information, see Overview of Managing Access in the AWS KMS Developer Guide.
Data keys – Cryptographic keys generated by AWS KMS to encrypt data outside of AWS KMS. AWS KMS allows authorized entities (users or services) to obtain data keys protected by a KMS key.
Transport Layer Security (TLS) – The successor to Secure Sockets Layer (SSL), TLS is a cryptographic protocol essential for encrypting information that is exchanged over a network.
EFS mount helper – A Linux client agent (amazon-efs-utils ) used to simplify the mounting of EFS file systems. It can be used to setup, maintain, and route all NFS traffic over a TLS tunnel.

For more information about basic concepts and terminology, see AWS Key Management Service Concepts in the AWS KMS Developer Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Abstract and Introduction

Encryption of Data at Rest