Enforce encryption for Amazon Elastic File System resources using AWS IAM

Posted on: Sep 16, 2020

You can now use AWS Identity and Access Management (AWS IAM) identity-based policies to enforce encryption of data at rest for your Amazon Elastic File System (Amazon EFS) file system resources. Using an IAM condition key, you can prevent users from creating EFS file systems that aren’t encrypted. Central security administrators can also define service control policies (SCPs) inside AWS Organizations to enforce EFS encryption for all AWS accounts in their organization.

This capability complements enforcing encryption of data in transit using file system policies, IAM Authorization for NFS clients, and EFS Access Points as tools to manage access to your EFS resources at scale. Enforcing encryption of data at rest is available in all AWS Regions where EFS is available at no additional charge. To get started, see the Amazon EFS user guide.