Encrypting File Data with Amazon Elastic File System

Publication date: February 22,2021 (Document History and Contributors)

Abstract

Security is the top priority at AWS and we give our customers the tools to prioritize security in their enterprise. Government regulations and industry or company compliance policies may require data of different classifications to be secured by using encryption policies, cryptographic algorithms, and proper key management. This paper outlines best practices for encrypting Amazon Elastic File System (Amazon EFS).

Introduction

Amazon Elastic File System (Amazon EFS) provides simple, scalable, highly available, and highly durable shared file systems in the cloud. The file systems you create using Amazon EFS are elastic, allowing them to grow and shrink automatically as you add and remove data. They can grow in size to petabytes, distributing data across an unconstrained number of storage servers in multiple Availability Zones (AZs).

Data stored in these file systems can be encrypted at rest and in transit using Amazon EFS. For encryption of data at rest, you can create encrypted file systems through the AWS Management Console or the AWS Command Line Interface (AWS CLI). Or you can create encrypted file systems programmatically through the Amazon EFS API or one of the AWS SDKs.

For encryption of data at rest, Amazon EFS integrates with AWS Key Management Service (AWS KMS) for key management. You can also enable encryption of data in transit by mounting the file system and transferring all NFS traffic over a Transport Layer Security (TLS).

This paper outlines encryption best practices for Amazon EFS. It describes how to enable encryption of data in transit at the client connection layer, and how to create an encrypted file system in the AWS Management Console and in the AWS CLI.