Creating an Encrypted File System Using the AWS Management Console - Encrypting File Data with Amazon Elastic File System

Creating an Encrypted File System Using the AWS Management Console

Use the following procedure to create an encrypted Amazon EFS file system using the AWS Management Console.

Step 1. Configure File System Settings

In this step, you configure general file system settings, including Lifecycle management, Performance and Throughput modes, and encryption of data at rest.

  1. Sign in to the AWS Management Console and open the Amazon EFS console.

  2. Choose Create file system to open the Create file system dialog box. For more information about creating a file system using the using the recommended settings that include enabling encryption by default, see Create Your Amazon EFS File System.

    Create EFS File System

  3. (Optional) Select Customize to create a customized file system instead of creating a file system using the service recommended settings.

    The File system settings page appears.

    Create EFS file system: general settings

  4. For General settings, enter the following details.

    • (Optional) Enter a Name for the file system.

    • Automatic backups are turned on by default. You can turn off automatic backups by clearing the check box. For more information, see Using AWS Backup with Amazon EFS.

    • Choose a Lifecycle management policy. Amazon EFS lifecycle management automatically manages cost-effective file storage for your file systems. When enabled, lifecycle management migrates files that have not been accessed for a set period to the Infrequent Access (IA) storage class. You define that period by using a lifecycle policy. If you don't want lifecycle management enabled, choose None. For more information, see EFS lifecycle management in the Amazon EFS User Guide.

    • Choose a Performance mode either the default General Purpose mode or Max I/O. For more information, see Performance Modes in the Amazon EFS User Guide.

    • Choose a Throughput mode either the default Bursting mode or Provisioned mode.

    • If you selected Provisioned the Provisioned Throughput (MiB/s) field displays. Enter the amount of throughput to provision for the file system. After you enter the throughput, the console displays an estimate of the monthly cost next to the field. For more information, see Throughput Modes in the Amazon EFS User Guide.

    • For Encryption, encryption of data at rest is enabled by default. It uses your AWS Key Management Service (AWS KMS) EFS service key (aws/elasticfilesystem) by default. To choose a different KMS key to use for encryption, expand Customize encryption settings and choose a key from the list. Or, enter a KMS key ID or Amazon Resource Name (ARN) for the KMS key you want to use.

      If you need to create a new key, choose Create an AWS KMS key to launch the AWS KMS console and create a new key.

  5. (Optional) Choose Add tag to add key-value pairs to your file system.

  6. Choose Next to continue to the Network Access step in the configuration process.

Step 2. Configure Network Access

In this step, you configure they file system’s network settings, including the virtual private cloud (VPC) and mount targets. For each mount target, set the Availability Zone, subnet, IP address, and security groups.

Create EFS file system: Network access

  1. Choose the Virtual Private Cloud (VPC) where you want EC2 instances to connect to your file system. For more information, see Managing file system network accessibility in the Amazon EFS User Guide.

    • Availability zone – By default, a mount target is configured in each Availability Zone in an AWS Region. If you don’t want a mount target in a particular Availability Zone, choose Remove to delete the mount target for that zone. Create a mount target in every Availability Zone that you plan to access your file system from. There is no cost to do so.

    • Subnet ID – Choose from the available subnets in an Availability Zone. The default subnet is preselected. As a best practice, ensure that the chosen subnet is public or private based on your security requirements.

    • IP Address – By default, Amazon EFS chooses the IP address automatically from the available addresses in the subnet. Or, you can enter a specific IP address that’s in the subnet. Although mount targets have a single IP address, they are redundant, highly available network resources.

    • Security groups – You can specify one or more security groups for the mount target. As a best practice, ensure the security group is only used for EFS mount purposes (NFS Port 2049) and inbound rules allow only port 2049 from other VPC CIDR block range or use Security Group as the source for resources that needs to access EFS. For more information, see Using Security Groups for Amazon EC2 Instances and Mount Targets in the Amazon EFS User Guide.

      To add another security group, or to change the security group, select Choose security groups and add another security group from the list. If you don’t want to use the default security group, you can delete it. For more information, see Creating security groups in the Amazon EFS User Guide.

  2. Choose Add mount target to create a mount target for an Availability Zone that doesn’t have one. If a mount target is configured for each Availability Zone, this choice is not available.

  3. Choose Next to continue. The File system policy page is displayed.

Step 3. Create a File System Policy

In this step, you create a file system policy to control NFS client access to the file system. An EFS file system policy is an IAM resource policy that you use to control NFS client access to the file system. For more information, see Using IAM to Control NFS Access to Amazon EFS in the Amazon EFS User Guide.

Create EFS file system: File system policy

  1. In Policy options, we recommend that you choose following available preconfigured policy options:

    • Prevent root access by default

    • Enforce read-only access by default

    • Enforce in-transit encryption for all clients

  2. Use Grant additional permissions to grant file system permissions to additional IAM principals, including another AWS account. Choose Add, then enter the Principal ARN of the entity to which you are granting permissions to, then choose the Permissions to grant.

  3. Use the Policy editor to customize a preconfigured policy or to create your own policy based on your requirements. When you choose one of the preconfigured policies, the JSON policy definition appears in the policy editor.

  4. Choose Next to continue. The Review and create page will appear.

Step 4. Review and Create

In this step, you review the file system settings, make any modifications, then create the file system.

Create EFS file system: Review and create

  1. Review each of the file system configuration groups. You can make changes to each group at this time by choosing Edit.

  2. Choose Create to create your file system and return to the File systems page.

  3. The File systems page displays the file system and its configuration details, as shown in the following image.

    File Systems