Ensure that Amazon FSx for Windows File Server file systems are using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys for data encryption, in order to have a fine-grained control over data-at-rest encryption and decryption and meet compliance requirements. FSx for Windows File Server is a fully managed Windows File System that can be used to move Windows-based applications that require file storage to AWS cloud.
By default, your Amazon FSx data is encrypted at rest using an AWS-managed key (i.e. default key that protects FSx data when no other key is defined). However, you have the option to configure your Windows File Server file systems to encrypt data using customer-managed keys. When you use your own AWS KMS Customer Master Keys (CMKs) to protect your FSx data at rest, you have full control over who can use the encryption keys to access it. Amazon Key Management Service allows you to easily create, rotate, disable and audit the Customer Master Keys used to encrypt AWS FSx Windows File Server file systems data.
To determine the encryption configuration for your AWS FSx file systems, perform the following actions:
Remediation / Resolution
To encrypt your Amazon FSx Windows File Server file system data using your own AWS KMS Customer Master Key, you have to re-create the non-compliant FSx file system with the required encryption configuration. To re-create your Windows File Server file system and enable data-at-rest encryption using a customer-managed CMK, perform the following actions:
- AWS Documentation
- Amazon FSx for Windows File Server
- Amazon FSx for Windows File Server FAQs
- Encryption of Data at Rest and Data in Transit
- Getting Started with Amazon FSx
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Use KMS Customer Master Keys for FSx Windows File Server File Systems
Risk level: Medium