Enforcing Encryption of Data at Rest - Encrypting File Data with Amazon Elastic File System

Enforcing Encryption of Data at Rest

Encryption has minimal effect on I/O latency and throughput. Encryption and decryption are transparent to users, applications, and services. All data and metadata is encrypted by Amazon EFS on your behalf before it is written to disk and is decrypted before it is read by clients. You don’t need to change client tools, applications, or services to access an encrypted file system.

Your organization might require the encryption of all data that meets a specific classification or is associated with a particular application, workload, or environment. You can can use AWS Identity and Access Management (IAM) identity based policies enforce encryption of data at rest for your Amazon EFS file system resources. Using an IAM condition key, you can prevent users from creating EFS file systems that aren’t encrypted.

For example, an IAM policy that explicitly allows users to create only encrypted EFS file systems uses the following combination of effect, action, and condition:

  • The Effect is Allow.

  • The Action is elasticfilesystem:CreateFileSystem.

  • The Condition elasticfilesystem:Encrypted is true.

The following example illustrates an IAM identity-based policy that authorizes principals to create only encrypted file systems.

{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditior0”, “Effect”: “Allow”, “Action”: “elasticfilesystem:CreateFileSystem”, “Condition”: { “Bool”: { “elasticfilesystem:Encrypted”: “true” } }, “Resource”: “*” } }

The Resource attribute set to * means that the IAM policy applies to all the EFS resources created. You can add additional conditional attributes based on tags to enforce it only for a subset of EFS resources with data classification needs.

You can also enforce the creation of encrypted Amazon EFS file systems at the AWS Organizations level by using service control policies for all AWS Accounts or OUs in your organization. For more information about service control policies in AWS Organizations, see Service control policies in the AWS Organizations User Guide.