Using IAM to Enforce Creating Encrypted File Systems
You can create an AWS Identity and Access Management (IAM) identity-based policy to
control whether users can
create Amazon EFS file systems that are encrypted at rest. The Boolean condition key
elasticfilesystem:Encrypted
specifies the type of file system, encrypted or
unencrypted, that the policy applies to. You use the condition key with the
elasticfilesystem:CreateFileSystem
action and the policy effect, allow or deny,
to create a policy for creating encrypted or unencrypted file systems.
For example, an IAM policy that explicitly allows users to create only encrypted EFS file systems uses the following combination of effect, action, and condition:
-
The
Effect
isAllow
. -
The
Action
iselasticfilesystem:CreateFileSystem
. -
The
Condition
elasticfilesystem:Encrypted
isTrue
.
The following example illustrates an IAM identity-based policy that authorizes principals to create only encrypted file systems.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", "Condition": { "Bool": { "elasticfilesystem:Encrypted": "true" } }, "Resource": "*" } ] }
If this policy is attached to a user who tries to create an unencrypted file system, the request fails. The user sees a message similar to the following, whether they are using the AWS Management Console, the AWS CLI, or the AWS API or SDK:
User: arn:aws:iam::111122223333:user/
username
is not authorized to perform: elasticfilesystem:CreateFileSystem on the specified resource.
An IAM policy that explicitly allows creating only unencrypted EFS file systems can use the following combination of effect, action, and condition:
-
The
Effect
isAllow
. -
The
Action
iselasticfilesystem:CreateFileSystem
. -
The
Condition
elasticfilesystem:Encrypted
isFalse
.
The following example illustrates an IAM identity-based policy that authorizes principals to create only unencrypted file systems.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", "Condition": { "Bool": { "elasticfilesystem:Encrypted": "false" } }, "Resource": "*" } ] }
If this policy is attached to a user who tries to create an encrypted file system, the request fails. The user sees a message similar to the following, whether they are using the AWS Management Console, the AWS CLI, or the AWS API or SDK:
User: arn:aws:iam::111122223333:user/
username
is not authorized to perform: elasticfilesystem:CreateFileSystem on the specified resource.
You can also use policies like the previous examples in an AWS Organizations service control policy (SCP) to enforce the creation of encrypted Amazon EFS file systems for all AWS accounts in your organization. For more information about service control policies in AWS Organizations, see Service control policies in the AWS Organizations User Guide.
Create an IAM Policy That Authorizes Users to Create Only Encrypted EFS File Systems
You can create an IAM identity-based policy that authorizes users to create only encrypted Amazon EFS file systems using the console, the AWS CLI, and the API. The following procedure describes how to create such a policy using the IAM console, and then apply the policy to a user in your account.
To create an IAM policy to enforce creating encrypted EFS file systems
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, under Access management, choose Policies.
-
Choose Create policy to display the Create policy page.
-
Enter the following information using the Visual editor:
-
For Service, choose EFS.
-
For Actions, enter
create
in the search field, and then choose CreateFileSystem. -
For Request conditions, choose Encrypted.
-
-
Choose Review policy to display the Review policy page.
-
Provide a Name and a Description for the policy. Verify the policy summary, including the Encrypted request condition. Choose Create policy to create the policy.
To apply the policy to a user in your account
-
In the IAM console, under Access management, choose Users.
-
Select the user that you want to apply the policy to.
-
Choose Add permissions to display the Add permissions page.
-
Choose Attach existing policies directly.
-
Enter the name of the EFS policy that you created in the previous procedure.
-
Select and expand the policy. Then choose {}JSON to verify the policy content. It should look like the following JSON policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "elasticfilesystem:CreateFileSystem", "Condition":{ "Bool": { "elasticfilesystem:Encrypted": "true" } }, "Resource": "*" } ] }
-
Choose Next: Review.
-
Choose Add permissions to apply the policy to the user. This user can now only create Amazon EFS file systems that are encrypted at rest.