Ensure that Amazon Storage Gateway service is using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys) for file share data encryption, in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements. An AWS Storage Gateway file share is a file system mount point backed by Amazon S3 cloud storage.
- By default, AWS Storage Gateway service uses Amazon S3-Managed Encryption Keys (SSE-S3) to encrypt all data it stores in Amazon S3. Now you have the option to configure your file gateways to encrypt data stored in S3 using AWS Key Management Service (KMS). When you use your own AWS KMS Customer Master Keys (CMKs) to protect your file share data at rest, you have full control over who can use the encryption keys to access it. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS Storage Gateway file share data.
To determine the encryption configuration for your AWS Storage Gateway file shares, perform the following actions:
To encrypt your AWS Storage Gateway file share data using your own AWS KMS Customer Master Keys, perform the following actions:Note: Updating the encryption configuration for existing Amazon Storage Gateway file shares using the AWS Management Console is not currently supported.