- Knowledge Base
- Amazon Web Services
- Amazon FSx
- Use KMS Customer Master Keys for FSx Windows File Server File Systems
Ensure that Amazon FSx for Windows File Server file systems are using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys for data encryption, in order to have a fine-grained control over data-at-rest encryption and decryption and meet compliance requirements. FSx for Windows File Server is a fully managed Windows File System that can be used to move Windows-based applications that require file storage to AWS cloud.
Security By default, your Amazon FSx data is encrypted at rest using an AWS-managed key (i.e. default key that protects FSx data when no other key is defined). However, you have the option to configure your Windows File Server file systems to encrypt data using customer-managed keys. When you use your own AWS KMS Customer Master Keys (CMKs) to protect your FSx data at rest, you have full control over who can use the encryption keys to access it. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS FSx Windows File Server file systems data.
Audit
To determine the encryption configuration for your AWS FSx file systems, perform the following actions:
Using AWS Console
01 Sign in to AWS Management Console.
02 Navigate to Amazon FSx service dashboard at https://console.aws.amazon.com/fsx/.
03 In the left navigation panel, under Amazon FSx, choose File systems to access the file systems available in the current region.
04 Click on the File system type column to group the existent file systems based on their type (Windows File Server or Lustre).
05 Choose the Windows File Server file system that you want to examine, click the Actions dropdown button from the dashboard top menu and select View details.
06 On the file system description page, select Network & Security tab, and copy the KMS key ID attribute value (i.e. key ARN).
07 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
08 In the left navigation panel, click Encryption Keys.
09 Select the appropriate AWS region from the Filter menu (must match the region where your file system was created).
10 Choose the KMS key with the alias set to aws/fsx, then click on its name link to access the key details.
11 On the selected KMS key configuration page, under Summary, check the key Amazon Resource Name (ARN) listed as value for the ARN attribute. If the aws/fsxkey ARN and the ARN identified at step no. 6 match, the selected Amazon FSx Windows File Server file system is encrypting data using the AWS-managed key instead of a customer-managed CMK.
12 Repeat steps no. 5 – 11 to determine the encryption configuration for other Windows File Server file systems available in the current region.
13 Change the AWS region from the console navigation bar and repeat the audit process for other regions.
Using AWS CLI
01 Rundescribe-file-systems command (OSX/Linux/UNIX) to list the IDs of the AWS FSx Windows File Server file systems available in the selected region:
aws fsx describe-file-systems --region us-east-1 --query 'FileSystems[*].FileSystemId'
02 The command output should return an array with the requested file system IDs:
[ "fx-01234123412341234", "fx-0abcd1234abcd1234" ]
03 Execute againdescribe-file-systems command (OSX/Linux/UNIX) using the ID of the file system that you want to examine as identifier and custom query filters to get the ARN of the AWS Key Management Service (KMS) key used to encrypt the data for the selected Amazon FSx Windows File Server file system:
aws fsx describe-file-systems --region us-east-1 --file-system-ids fx-01234123412341234 --query 'FileSystems[*].KmsKeyId'
04 The command output should return the requested Amazon Resource Name (ARN):
"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-abcd1234abcd"
05 Run describe-key command (OSX/Linux/UNIX) using the AWS KMS key ARN returned at the previous step as identifier and custom query filters to expose the name of the manager (either "AWS" or "CUSTOMER") for the encryption key used:
aws aws kms describe-key --region us-east-1 --key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-abcd1234abcd --query 'KeyMetadata.KeyManager'
06 The command output should return the selected AWS KMS key manager name:
"AWS"
If the value returned by the describe-key command output is "AWS", the encryption key manager is Amazon Web Services and not the AWS customer, therefore the data on the selected Amazon FSx Windows File Server file system is encrypted using the default master key (i.e. aws/fsx key) instead of a customer-managed Customer Master Key (CMK).
07 Repeat steps no. 3 – 6 to determine the encryption configuration for other Windows File Server file systems available in the selected region.
08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire process for other regions.
Remediation / Resolution
To encrypt your Amazon FSx Windows File Server file system data using your own AWS KMS Customer Master Key, you have to re-create the non-compliant FSx file system with the required encryption configuration. To re-create your Windows File Server file system and enable data-at-rest encryption using a customer-managed CMK, perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"KMSKEY": {
"Type": "AWS::KMS::Key",
"Properties": {
"Enabled": true,
"KeySpec": "SYMMETRIC_DEFAULT",
"KeyUsage": "ENCRYPT_DECRYPT",
"Description": "Symmetric Amazon KMS Customer Master Key",
"KeyPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/cloud-resource-manager"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/cloud-resource-manager"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
}
},
"KMSKEYAlias": {
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": "alias/FSxCustomCMK",
"TargetKeyId": {
"Ref": "KMSKEY"
}
}
},
"FSxFileSystem": {
"Type": "AWS::FSx::FileSystem",
"Properties": {
"FileSystemType": "WINDOWS",
"StorageType": "SSD",
"StorageCapacity": 1024,
"SubnetIds": [
"subnet-01234abcd1234abcd",
"subnet-0abcd1234abcd1234"
],
"SecurityGroupIds": [
"sg-0abcd1234abcd1234"
],
"KmsKeyId": {
"Ref": "KMSKEY"
}
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: KMSKEY: Type: AWS::KMS::Key Properties: Enabled: true KeySpec: SYMMETRIC_DEFAULT KeyUsage: ENCRYPT_DECRYPT Description: Symmetric Amazon KMS Customer Master Key KeyPolicy: Version: '2012-10-17' Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: arn:aws:iam::123456789012:root Action: kms:* Resource: '*' - Sid: Allow access for Key Administrators Effect: Allow Principal: AWS: arn:aws:iam::123456789012:user/kms-key-admin Action: - kms:Create* - kms:Describe* - kms:Enable* - kms:List* - kms:Put* - kms:Update* - kms:Revoke* - kms:Disable* - kms:Get* - kms:Delete* - kms:TagResource - kms:UntagResource - kms:ScheduleKeyDeletion - kms:CancelKeyDeletion Resource: '*' - Sid: Allow use of the key Effect: Allow Principal: AWS: - arn:aws:iam::123456789012:user/cloud-resource-manager Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt* - kms:GenerateDataKey* - kms:DescribeKey Resource: '*' - Sid: Allow attachment of persistent resources Effect: Allow Principal: AWS: - arn:aws:iam::123456789012:user/cloud-resource-manager Action: - kms:CreateGrant - kms:ListGrants - kms:RevokeGrant Resource: '*' Condition: Bool: kms:GrantIsForAWSResource: 'true' KMSKEYAlias: Type: AWS::KMS::Alias Properties: AliasName: alias/FSxCustomCMK TargetKeyId: !Ref 'KMSKEY' FSxFileSystem: Type: AWS::FSx::FileSystem Properties: FileSystemType: WINDOWS StorageType: SSD StorageCapacity: 1024 SubnetIds: - subnet-01234abcd1234abcd - subnet-0abcd1234abcd1234 SecurityGroupIds: - sg-0abcd1234abcd1234 KmsKeyId: !Ref 'KMSKEY'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "aws_kms_key" "kms-key" {
is_enabled = true
customer_master_key_spec = "SYMMETRIC_DEFAULT"
key_usage = "ENCRYPT_DECRYPT"
description = "Symmetric Amazon KMS Customer Master Key"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/kms-key-admin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/cloud-resource-manager"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/cloud-resource-manager"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
EOF
}
resource "aws_kms_alias" "kms-key-alias" {
target_key_id = aws_kms_key.kms-key.key_id
name = "alias/FSxCustomCMK"
}
resource "aws_fsx_windows_file_system" "fsx-file-system" {
deployment_type = "MULTI_AZ_1"
subnet_ids = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
storage_type = "SSD"
storage_capacity = 1024
throughput_capacity = 512
security_group_ids = ["sg-0abcd1234abcd1234"]
kms_key_id = aws_kms_key.kms-key.key_id
}
Using AWS Console
01 Sign in to AWS Management Console.
02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.
03 In the left navigation panel click Encryption Keys.
04 Select the appropriate AWS region from the Filter menu (must match the region where your non-compliant file system is provisioned).
05 Click Create Key button from the dashboard top menu.
06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.
07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.
08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt your FSx data with the AWS KMS API.
09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt your file system data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.
10 Click Next Step to continue.
11 Under Preview Key Policy section, review the key policy generated by AWS then click Finishto create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: <kms-cmk-alias>”.
12 Once the KMS CMK has been created, navigate to AWS FSx service dashboard at https://console.aws.amazon.com/fsx/.
13 In the left navigation panel, under Amazon FSx, choose File systems to access the file systems list.
14 Choose the Windows File Server file system that you want to re-create, click the Actions dropdown button from the dashboard top menu and select View details.
15 On the file system description page, select the Overview tab, note the Storage capacity and Throughput capacity values, then select the Network & Security tab, and copy the network-based configuration details such as VPC, Security groups, Subnet and Microsoft Entra ID ID.
16 In the navigation panel, choose File systems.
17 Click Create file system button from the dashboard top menu to initiate the file system setup.
18 On Select file system type page, choose Amazon FSx for Windows File Server to select the type of the new file system.
19 Click Next to continue the process.
20 On Create file system page, perform the following:
- In the File system name box, type a unique name for your new Windows File Server file system.
- Within Encryption section, select the alias of the KMS Customer Master Key (CMK) created earlier in the remediation process from the Encryption key dropdown list.
- Configure the rest of the settings available on this page using the configuration information taken from the source file system, copied at step no. 15.
- Click Next to continue.
21 On Review and create page, review the configuration settings for your new FSx file system, then click Create file system to launch the resource.
22 Once your new Amazon FSx file system is created, you can unmount the non-compliant file system and mount the new file system to your Windows–based EC2 instance, joined to your AWS Directory Service directory.
23 Repeat step no. 14 – 22 to configure encryption at rest using KMS Customer Master Keys (CMKs) for other Amazon FSx file systems available in the current region.
24 Change the AWS region from the navigation bar to repeat the entire remediation/resolution process for the other regions.
Using AWS CLI
01 Define the access policy that enables your selected IAM users and/or roles to manage the new KMS Customer Master Key and to encrypt/decrypt FSx file system data using the AWS KMS API. Create a new policy document called fsx-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Version": "2012-10-17",
"Id": "fsx-file-system-custom-key-policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Grant access to CMK manager",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/AmazonFSxManager"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow the use of the CMK",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/FSxAdmin"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/FSxAdmin"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. fsx-cmk-policy.json) as command parameter to create the new AWS KMS Customer Master Key:
aws kms create-key --region us-east-1 --description 'KMS CMK for encrypting AWS FSx file systems data.' --policy file://fsx-cmk-policy.json
03 The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value - highlighted) as this information will be required later when you need to specify the key required for FSx data encryption:
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "abcdabcd-1234-1234-1234-abcd1234abcd",
"Description": "KMS CMK for encrypting AWS FSx file systems data."
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1517238466.120,
"Arn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd",
"AWSAccountId": "123456789012"
}
}
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):
aws kms create-alias --region us-east-1 --alias-name alias/FSxCustomCMK --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd
05 Rundescribe-file-systems command (OSX/Linux/UNIX) using the ID of the file system that you want to re-create as identifier (see Audit section part II to identify the right resource) to return the configuration metadata for the specified Amazon FSx Windows File Server file system:
aws fsx describe-file-systems --region us-east-1 --file-system-ids fx-01234123412341234
06 The command output should return the requested file system metadata:
{
"FileSystems": [
{
"FileSystemId": "fx-01234123412341234",
"FileSystemType": "WINDOWS"
"VpcId": "vpc-abcdabcd",
...
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-abcd1234abcd"
"Region": "us-east-1",
"OwnerId": "123456789012",
}
]
}
07 Runcreate-file-system command (OSX/Linux/UNIX) using the ARN of the newly created Customer Master Key (CMK) as value for the --kms-key-id parameter and the configuration information returned at the previous step to create a new and compliant Windows File Server file system:
aws fsx create-file-system --region us-east-1 --file-system-type WINDOWS --storage-capacity 1024 --subnet-ids subnet-abcd1234 --security-group-ids sg-012345678aabbccdd --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd --windows-configuration ActiveDirectoryId="d-abcabcabc01",ThroughputCapacity=16,AutomaticBackupRetentionDays=7,CopyTagsToBackups=true
08 The command output should return the new AWS FSx file system metadata:
{
"FileSystems": [
{
"FileSystemId": "fx-0abcd1234abcd1234",
"FileSystemType": "WINDOWS"
"VpcId": "vpc-abcdabcd",
...
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd"
"Region": "us-east-1",
"OwnerId": "123456789012",
}
]
}
09 After the Amazon FSx file system is created, you can unmount the non-compliant file system and mount the new file system to your Windows–based EC2 instance, joined to your AWS Directory Service directory.
10 Repeat steps no. 5 – 9 to configure encryption at rest using KMS Customer Master Keys (CMKs) for other Amazon FSx Windows File Server file systems available in the current region.
11 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 10 to perform the entire process for other regions.
References
- AWS Documentation
- Amazon FSx for Windows File Server
- Amazon FSx for Windows File Server FAQs
- Encryption of Data at Rest and Data in Transit
- Getting Started with Amazon FSx
- AWS Command Line Interface (CLI) Documentation
- fsx
- describe-file-systems
- create-file-system
- kms
- describe-key
- create-key
- create-alias