Managing access to encrypted file systems
Using Amazon EFS, you can create encrypted file systems. Amazon EFS supports two forms of encryption for file systems, encryption in transit and encryption at rest. Any key management that you need to perform is related only to encryption at rest. Amazon EFS automatically manages the keys for encryption in transit.
If you create a file system that uses encryption at rest, data and metadata are encrypted
at rest. Amazon EFS uses AWS Key Management Service (AWS KMS) for key management. When you create a file system using
encryption at rest, you specify an AWS KMS key. The KMS key can be
aws/elasticfilesystem
(the AWS managed key for Amazon EFS), or it can be a
customer managed key that you manage.
File data—the contents of your files—is encrypted at rest using the KMS key that you specified when you created your file system. Metadata—file names, directory names, and directory contents—is encrypted using a key that Amazon EFS manages.
The EFS AWS managed key for your file system is used as the KMS key for encrypting the metadata in your file system, for example file names, directory names, and directory contents. You own the customer managed key used to encrypt file data (the contents of your files) at rest.
You manage who has access to your KMS keys and the contents of your encrypted file systems. This access is controlled by both AWS Identity and Access Management (IAM) policies and AWS KMS. IAM policies control a user's access to Amazon EFS API actions. AWS KMS key policies control a user's access to the KMS key that you specified when the file system was created. For more information, see the following:
-
IAM Users in the IAM User Guide
-
Key policies in AWS KMS in the AWS Key Management Service Developer Guide
-
Grants in AWS KMS in the AWS Key Management Service Developer Guide.
As a key administrator, you can import external keys. You can also modify keys by enabling
them, disabling them, or deleting them. The state of the KMS key that you specified (when you
created the file system with encryption at rest) affects access to its contents. The KMS key must
be in the enabled
state for users to have access to the contents of an
encrypted-at-rest file system that is encrypted using that key.