Creating an Encrypted File System - Encrypt Data at Rest with Amazon EFS Encrypted File Systems

Creating an Encrypted File System

You can create an encrypted file system using the AWS Management Console, AWS CLI, Amazon EFS API, or AWS SDKs. You can only enable encryption for a file system when you create it. Amazon EFS integrates with AWS KMS for key management and uses a CMK to encrypt the file system. File system metadata, such as file names, directory names, and directory contents, are encrypted and decrypted using an EFS-managed key. The contents of your files, or file data, is encrypted and decrypted using a CMK that you choose. The CMK can be one of three types:

  • An AWS-managed CMK for Amazon EFS

  • A customer-managed CMK from your AWS account

  • A customer-managed CMK from a different AWS account

All users have an AWS-managed CMK for Amazon EFS, whose alias is aws/elasticfilesystem. AWS manages this CMK’s key policy and you cannot change it. There is no cost for creating and storing AWS-managed CMKs.

If you decide to use a customer-managed CMK to encrypt your file system, select the key alias of the customer-managed CMK that you own or enter the Amazon Resource Name (ARN) of a customer-managed CMK that is owned by a different account. With a customer-managed CMK that you own, you control which users and services can use the key through key policies and key grants. You also control the life span and rotation of these keys by choosing when to disable, re-enable, delete, or revoke access to them. AWS KMS charges a fee for creating and storing customer-managed CMKs. For information about managing access to keys in other AWS accounts, see Allowing External AWS Accounts to Access a CMK in the AWS KMS Developer Guide.

For more information about how to manage customer-managed CMKs, see AWS Key Management Service Concepts in the AWS KMS Developer Guide.

The following sections discuss how to create an encrypted file system using the AWS Management Console and using the AWS CLI.

Creating an Encrypted File System Using the AWS Management Console

To create an encrypted Amazon EFS file system using the AWS Management Console, follow these steps.

  1. On the Amazon EFS console, select Create file system to open the file system creation wizard.

  2. For Step 1: Configure file system access, choose your VPC, create your mount targets, and then choose Next Step.

  3. For Step 2: Configure optional settings, add any tags, choose your performance mode, select the box to enable encryption for your file system, select a KMS master key, and then choose Next Step.

    Figure: Enabling encryption through the AWS Management Console

  4. For Step 3: Review and create, review your settings and choose Create File System.

Creating an Encrypted File System Using the AWS CLI

When you use the AWS CLI to create an encrypted file system, you use additional parameters to set the encryption status and customer-managed CMK. Be sure you are using the latest version of the AWS CLI. For information about how to upgrade your AWS CLI, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.

In the CreateFileSystem operation, the --encrypted parameter is a Boolean and is required for creating encrypted file systems. The --kms-key-id is required only when you use a customer-managed CMK and you include the key’s alias or ARN. Do not include this parameter if you’re using the AWS-managed CMK.

$ aws efs create-file-system \ --creation-token $(uuidgen) \ --performance-mode generalPurpose \ --encrypted \ --kms-key-id user/customer-managedCMKalias

For more information about creating Amazon EFS file systems using the AWS Management Console, AWS CLI, AWS SDKs, or Amazon EFS API, see the Amazon EFS User Guide.