Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys instead of AWS managed-keys (default keys used by the EFS service when there are no customer keys defined) in order to have more granular control over your data-at-rest encryption/decryption process.
When you define and use your own KMS CMK customer-managed keys to protect the EFS file systems data and metadata, you gain full control over who can use these keys to access the data (including the system metadata). The AWS KMS service allows you to create, rotate, disable and audit CMK encryption keys for your file systems.
To determine the encryption status and configuration for your AWS EFS file systems, perform the following:
To encrypt an existing AWS EFS file system with your own AWS KMS CMK customer-managed key you must copy the data from the existing file system onto the new one, that has the encryption feature enabled. To create the necessary KMS CMK customer-managed key and set up the new EFS file system, enable custom encryption and copy your existing data to it, perform the following: