Conclusion - Encrypting File Data with Amazon Elastic File System


Amazon EFS file system data can be encrypted at rest and in transit. You can encrypt data at rest by using CMKs that you can control and manage using AWS KMS. Creating an encrypted file system is as simple as selecting a check box in the Amazon EFS file system creation wizard in the AWS Management Console, or adding a single parameter to the CreateFileSystem operation in the AWS CLI, AWS SDKs, or Amazon EFS API.

You can enforce encryption at rest and transit using AWS IAM identity-based policies and file system policies to further strengthen your security requirements and help meet your compliance needs. Using an encrypted file system is also transparent to services, applications, and users, with minimal effect on the file system’s performance. You can encrypt data in transit by using the EFS mount helper to establish an encrypted TLS tunnel on each client, encrypting all NFS traffic between the client and the mounted EFS file system. Enforcing encryption of Amazon EFS data at rest using IAM identity policies and in transit using EFS file system policies is available to you at no additional cost.