Basic Concepts and Terminology - Encrypting File Data with Amazon Elastic File System

Basic Concepts and Terminology

This section defines concepts and terminology referenced in this whitepaper.

  • Amazon Elastic File System (Amazon EFS) – A highly available and highly durable service that provides simple, scalable, shared file storage in the AWS Cloud. Amazon EFS provides a standard file system interface and file system semantics. You can store virtually an unlimited amount of data across an unconstrained number of storage servers in multiple Availability Zones.

  • AWS Identity and Access Management (IAM) A service that enables you to securely control fine-grained access to AWS service APIs. Policies are created and used to limit access to individual users, groups, and roles. You can manage your AWS KMS keys through the IAM console.

  • AWS KMS A managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions. AWS KMS is integrated with other AWS services that encrypt your data. It is also fully integrated with AWS CloudTrail to provide logs of API calls made by AWS KMS on your behalf, which can be helpful for meeting compliance or regulatory requirements applicable to your organization.

  • Customer master key (CMK) Represents the top of your key hierarchy. It contains key material to encrypt and decrypt data. AWS KMS can generate this key material, or you can generate it and then import it into AWS KMS. CMKs are specific to an AWS account and AWS Region and can be customer-managed or AWS-managed.

  • AWS-managed CMK – A CMK that is generated by AWS on your behalf. An AWS-managed CMK is created when you enable encryption for a resource of an integrated AWS service. AWS-managed CMK key policies are managed by AWS and you cannot change them. There is no charge for the creation or storage of AWS-managed CMKs.

  • Customer-managed CMK – A CMK you create by using the AWS Management Console or API, AWS CLI, or SDKs. You can use a customer-managed CMK when you need more granular control over the CMK.

  • KMS Key Policy A resource policy that controls access to a customer managed CMK. Customers define these permissions using the key policy or a combination of IAM policies and the key policy. For more information, see Overview of Managing Access in the AWS KMS Developer Guide.

  • Data keys Cryptographic keys generated by AWS KMS to encrypt data outside of AWS KMS. AWS KMS allows authorized entities (users or services) to obtain data keys protected by a CMK.

  • Transport Layer Security (TLS) The successor to Secure Sockets Layer (SSL), TLS is a cryptographic protocol essential for encrypting information that is exchanged over a network.

  • EFS mount helper A Linux client agent (amazon-efs-utils ) used to simplify the mounting of EFS file systems. It can be used to setup, maintain, and route all NFS traffic over a TLS tunnel.

For more information about basic concepts and terminology, see AWS Key Management Service Concepts in the AWS KMS Developer Guide.