Ensure that Amazon Storage Gateway service is using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys (i.e. default keys) for file share data encryption, in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements. An AWS Storage Gateway file share is a file system mount point backed by Amazon S3 cloud storage.
- By default, AWS Storage Gateway service uses Amazon S3-Managed Encryption Keys (SSE-S3) to encrypt all data it stores in Amazon S3. Now you have the option to configure your file gateways to encrypt data stored in S3 using AWS Key Management Service (KMS). When you use your own AWS KMS Customer Master Keys (CMKs) to protect your file share data at rest, you have full control over who can use the encryption keys to access it. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS Storage Gateway file share data.
Audit
To determine the encryption configuration for your AWS Storage Gateway file shares, perform the following actions:
Remediation / Resolution
To encrypt your AWS Storage Gateway file share data using your own AWS KMS Customer Master Keys, perform the following actions:
Note: Updating the encryption configuration for existing Amazon Storage Gateway file shares using the AWS Management Console is not currently supported.References
- AWS Documentation
- AWS Storage Gateway FAQs
- What Is AWS Storage Gateway?
- CreateNFSFileShare
- Encrypting Your Data Using AWS Key Management Service
- AWS Command Line Interface (CLI) Documentation
- storagegateway
- list-file-shares
- describe-nfs-file-shares
- update-nfs-file-share
- kms
- create-key
- create-alias
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Use KMS Customer Master Keys for AWS Storage Gateway File Shares
Risk Level: High