Enforcing Encryption of Data at Rest
Encryption has minimal effect on I/O latency and throughput. Encryption and decryption are transparent to users, applications, and services. All data and metadata is encrypted by Amazon EFS on your behalf before it is written to disk and is decrypted before it is read by clients. You don’t need to change client tools, applications, or services to access an encrypted file system.
Your organization might require the encryption of all data that meets a specific
classification or is associated with a particular application, workload, or environment. You
can can use AWS Identity and Access Management
For example, an IAM policy that explicitly allows users to create only encrypted EFS file systems uses the following combination of effect, action, and condition:
The
Effect
isAllow
.The
Action
iselasticfilesystem:CreateFileSystem
.The
Condition elasticfilesystem:Encrypted
istrue
.
The following example illustrates an IAM identity-based policy that authorizes principals to create only encrypted file systems.
{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditior0”, “Effect”: “Allow”, “Action”: “elasticfilesystem:CreateFileSystem”, “Condition”: { “Bool”: { “elasticfilesystem:Encrypted”: “true” } }, “Resource”: “*” } }
The Resource
attribute set to *
means that the IAM policy applies to all the EFS resources created. You can add additional conditional attributes based on tags to enforce it only for a subset of EFS resources with data classification needs.
You can also enforce the creation of encrypted Amazon EFS file systems at the AWS Organizations level by using service control policies for all AWS Accounts or OUs in your organization. For more information about service control policies in AWS Organizations, see Service control policies in the AWS Organizations User Guide.