Encrypting data at rest

You can create encrypted file systems using the AWS Management Console, the AWS CLI, or programmatically through the Amazon EFS API or one of the AWS SDKs. Your organization might require the encryption of all data that meets a specific classification or is associated with a particular application, workload, or environment.

Once you create an EFS file system, you cannot change its encryption setting. This means that you cannot modify an unencrypted file system to make it encrypted. Instead, you need to create a new, encrypted file system.

Enforcing the creation of EFS file systems encrypted at rest

You can use the elasticfilesystem:Encrypted IAM condition key in AWS Identity and Access Management (IAM) identity-based policies to control whether users can create Amazon EFS file systems that are encrypted at rest. For more information about using the condition key, see Example: Enforce the creation of encrypted file systems.

You can also define service control policies (SCPs) inside AWS Organizations to enforce EFS encryption for all AWS accounts in your organization. For more information about service control policies in AWS Organizations, see Service control policies in the AWS Organizations User Guide.

Encrypting a file system at rest using the console

When you create a new file system using the Amazon EFS console, encryption at rest is enabled by default.

How encryption at rest works

In an encrypted file system, data and metadata are automatically encrypted before being written to the file system. Similarly, as data and metadata are read, they are automatically decrypted before being presented to the application. These processes are handled transparently by Amazon EFS, so you don't have to modify your applications.

Amazon EFS uses industry-standard AES-256 encryption algorithm to encrypt EFS data and metadata at rest. For more information, see Cryptography basics in the AWS Key Management Service Developer Guide.