Encryption of Data in Transit - Encrypting File Data with Amazon Elastic File System

Encryption of Data in Transit

You can mount a file system so that all NFS traffic is encrypted in transit using Transport Layer Security 1.2 (TLS) with an industry-standard AES-256 cipher. TLS is a set of industry-standard cryptographic protocols used for encrypting information that is exchanged over the network. AES-256 is a 256-bit encryption cipher used for data transmission in TLS. We recommend setting up encryption in transit on every client accessing the file system.

You can use IAM policies to enforce encryption in transit for NFS client access to Amazon EFS. When a client connects to a file system, Amazon EFS evaluates the file system’s IAM resource policy, which is called a file system policy, along with any identity-based IAM policies to determine the appropriate file system access permissions to grant. You can use the aws:SecureTransport Condition Key in the file system resource policy to enforce NFS clients to use TLS when connecting to an EFS file system.

Note

You must use the EFS mount helper to mount your Amazon EFS file systems in order to use IAM authorization to control access by NFS clients. For more information, see Mounting with IAM authorization in the Amazon EFS User Guide.

The following example EFS file system policy enforces encryption in transit and has the following characteristics:

  • The effect is allow.

  • The principal is set to * for all IAM entities.

  • The action is set to ClientMount, ClientWrite, ClientRootAccess.

  • The condition for granting permissions is set to SecureTransport. Only NFS clients using TLS to connect to the file system are granted access.

    { "Version": "2012-10-17", "Id": "ExamplePolicy01", "Statement": [ { "Sid": "VisualEditior0", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "elasticfilesystem:ClientRootAccess", "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ], "Condition": { "Bool": { "aws:SecureTransport": "true" } } } ] }

    You can create a file system policy using the Amazon EFS console or using the AWS CLI.

To create a file system policy using the EFS console:

  1. Open the Amazon EFS console.

  2. Choose File Systems.

  3. On the File systems page, choose the file system that you want to edit or create a file system policy for. The details page for that file system is displayed.

  4. Choose File system policy, then choose Edit. The File system policy page appears.

    File system policy interface with policy options and JSON editor for custom configurations.

    Create file system policy

  5. In Policy options, we recommend that you choose the following available preconfigured policy options:

    • Prevent root access by default

    • Enforce read-only access by default

    • Enforce in-transit encryption for all clients

    If you choose a preconfigured policy, the policy JSON object is displayed in the Policy editor panel.

  6. Use Grant additional permissions to grant file system permissions to additional IAM principals, including another AWS account. Choose Add, then enter the Principal ARN of the entity to which you are granting permissions to, then choose the Permissions to grant.

  7. Use the Policy editor to customize a preconfigured policy or to create your own policy based on your requirements. When you use the editor, the preconfigured policy options become unavailable. To undo your policy changes, choose Clear.

    When you clear the editor, the preconfigured policies become available once again.

  8. After you complete editing or creating the policy, choose Save.

    The details page for the file system is displayed, showing the policy in File system policy.

    You can also create a file system policy programmatically using AWS CloudFormation, AWS SDKs, or the Amazon EFS API directly. For more information about creating file system policies, see Creating file system policies in the Amazon EFS User Guide.

Setting up Encryption of Data in Transit

To set up encryption of data in transit, we recommend that you download the EFS mount helper on each client. The EFS mount helper is an open-source utility that AWS provides to simplify using EFS, including setting up encryption of data in transit. The mount helper uses the EFS recommended mount options by default.

The EFS mount helper is supported on the following Linux distributions:

  • Amazon Linux 2017.09+

  • Amazon Linux 2+

  • Debian 9+

  • Fedora 28+

  • Red Hat Enterprise Linux / CentOS 7+

  • Ubuntu 16.04+

To set up encryption of data in transit:

  1. Install the EFS mount helper:

    • For Amazon Linux, use this command:

      sudo yum install -y amazon-efs-utils
    • For other Linux distributions, download from GitHub and install.

      The amazon-efs-utils package automatically installs the following dependencies: NFS client (nfs-utils), Network relay (stunnel), OpenSSL, and Python.

  2. Mount the file system:

    sudo mount -t efs -o tls file-system-id efs-mount-point
    • mount -t efs invokes the EFS mount helper.

    • Using the DNS name of the file system or the IP address of a mount target is not supported when mounting using the EFS mount helper, use the file system id instead.

    • The EFS mount helper uses the AWS recommended mount options by default. Overriding these default mount options is not recommended but we provide the flexibility to do so when the occasion arises. We recommend thoroughly testing any mount option overrides so you understand how these changes impact file system access and performance.

    • The following table represents the default mount options used by the EFS mount helper.

      Option Description
      nfsvers=4.1 The version of NFS protocol
      rsize=1048576 TThe maximum number of bytes of data that the NFS client can receive for each network READ request)
      wsize=1048576 The maximum number of bytes of data that the NFS client can send for each network WRITE request
      hard The recovery behavior of the NFS client after an NFS request times out, so that NFS requests are retried indefinitely until the server replies
      timeo=600 The timeout value that the NFS client uses to wait for a response before it retries an NFS request in Deci seconds
      retrans=2 The number of times the NFS client retries a request before it attempts further recovery action
      noresvport Tells the NFS client to use a new TCP source port when a network connection is reestablished
    • Add the following line to /etc/fstab to automatically remount your file system after any system restart.

      file-system-id efs-mount-point efs _netdev, tls, iam 0 0

Using Encryption of Data in Transit

If your organization is subject to corporate or regulatory policies that require encryption of data in transit, we recommend using encryption of data in transit on every client accessing the file system. Encryption and decryption are configured at the connection level and add another layer of security.

Mounting the file system using the EFS mount helper sets up and maintains a TLS 1.2 tunnel between the client and Amazon EFS, and routes all NFS traffic over this encrypted tunnel. The certificate used to establish the encrypted TLS connection is signed by the Amazon Certificate Authority (CA) and trusted by most modern Linux distributions. The EFS mount helper also spawns a watchdog process to monitor all secure tunnels to each file system and ensures they are running.

After using the EFS mount helper to establish encrypted connections to Amazon EFS, no other user input or configuration is required. Encryption is transparent to user connections and applications accessing the file system.

After successfully mounting and establishing an encrypted connection to an EFS file system using the EFS mount helper, the output of a mount command shows the file system is mounted and an encrypted tunnel has been established using the localhost (127.0.0.1) as the network relay. See the following sample output.

127.0.0.1:/ on efs-mount-point type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=20059,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1)

To map an efs-mount-point to an EFS file system, query the mount.log file in /var/log/amazon/efs and find the last successful mount operation. This can be done using the following simple grep command.

grep -E "Successfully mounted.*efs-mount-point" /var/log/amazon/efs/mount.log | tail -1

The output of this grep command will return the DNS name of the mounted EFS file system. See sample output below.

2018-03-15 07:03:42,363 - INFO - Successfully mounted file-system-id.efs.region.amazonaws.com at efs-mount-point