Ensure that Amazon FSx for Windows File Server file systems are using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys for data encryption, in order to have a fine-grained control over data-at-rest encryption and decryption and meet compliance requirements. FSx for Windows File Server is a fully managed Windows File System that can be used to move Windows-based applications that require file storage to AWS cloud.
By default, your Amazon FSx data is encrypted at rest using an AWS-managed key (i.e. default key that protects FSx data when no other key is defined). However, you have the option to configure your Windows File Server file systems to encrypt data using customer-managed keys. When you use your own AWS KMS Customer Master Keys (CMKs) to protect your FSx data at rest, you have full control over who can use the encryption keys to access it. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS FSx Windows File Server file systems data.
To determine the encryption configuration for your AWS FSx file systems, perform the following actions:
To encrypt your Amazon FSx Windows File Server file system data using your own AWS KMS Customer Master Key, you have to re-create the non-compliant FSx file system with the required encryption configuration. To re-create your Windows File Server file system and enable data-at-rest encryption using a customer-managed CMK, perform the following actions: