Creating an IAM Policy Requiring that all EFS File Systems be Encrypted
You can create an IAM identity-based policy that authorizes users to create only encrypted Amazon EFS file systems using the console, the AWS CLI, or the API. The following procedure describes how to create such a policy using the IAM console, and then apply the policy to a user in your account.
To create an IAM policy to enforce encrypted EFS file systems:
-
Sign in to the AWS Management Console and open the IAM console
. -
In the navigation pane, under Access Managementchoose Policies.
-
Choose Create policy to display the Create policy page.
-
In the Visual Editor tab, enter the following information.
For Service, choose EFS.
For Actions, enter
createin the search field, and then choose CreateFileSystem.For Request conditions, click on the Add condition link, search for
elasticfilesystem:Encryptedfor Condition Key,Boolfor Operator andtruefor Value.
-
Provide a Name and a Description for the policy. Verify the policy summary, including the Encrypted request condition.
-
Choose Create policy to create the policy.
To apply the policy to a user in your account:
-
In the IAM console, under Access management, choose Users.
-
Select the user that you want to apply the policy to.
-
Choose Add permissions to display the Add permissions page.
-
Choose Attach existing policies directly.
-
Enter the name of the EFS policy that you created in the previous procedure.
-
Select and expand the policy. Then choose {}JSON to verify the policy content. It should look like the following JSON policy.
{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditior0”, “Effect”: “Allow”, “Action”: “elasticfilesystem:CreateFileSystem”, “Condition”: { “Bool”: { “elasticfilesystem:Encrypted”: “true” } }, “Resource”: “*” } }
