Best practices for administering Amazon FSx file systems
Use KMS Customer Master Keys for FSx Windows File Server File Systems.
By default, your Amazon FSx data is encrypted at rest using an AWS-managed key (i.e. default key that protects FSx data when no other key is defined). However, you have the option to configure your Windows File Server file systems to encrypt data using customer-managed keys. When you use your own AWS KMS Customer Master Keys (CMKs) to protect your FSx data at rest, you have full control over who can use the encryption keys to access it. Amazon Key Management Service allows you to easily create, rotate, disable, and audit the Customer Master Keys used to encrypt AWS FSx Windows File Server file systems data.
To determine the encryption configuration for your AWS FSx file systems, perform the following actions:
Using AWS CLI
- Run the describe-file-systems command (OSX/Linux/UNIX) to list the IDs of the AWS FSx Windows File Server file systems available in the selected region:
aws fsx describe-file-systems
--region us-east-1
--query 'FileSystems[*].FileSystemId'2. The command output should return an array with the requested file system IDs:
[
"fx-01234123412341234",
"fx-0abcd1234abcd1234"
]3. Execute again describe-file-systems command (OSX/Linux/UNIX) using the ID of the file system that you want to examine as an identifier and custom query filters to get the ARN of the AWS Key Management Service (KMS) key used to encrypt the data for the selected Amazon FSx Windows File Server file system:
aws fsx describe-file-systems
--region us-east-1
--file-system-ids fx-01234123412341234
--query 'FileSystems[*].KmsKeyId'4. The command output should return the requested Amazon Resource Name (ARN):
"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-abcd1234abcd"5. Run the describe-key command (OSX/Linux/UNIX) using the AWS KMS key ARN returned at the previous step as an identifier and custom query filters to expose the name of the manager (either “AWS” or “CUSTOMER”) for the encryption key used:
aws aws kms describe-key
--region us-east-1
--key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-abcd1234abcd
--query 'KeyMetadata.KeyManager'6. The command output should return the selected AWS KMS key manager name:
"AWS"If the value returned by the describe-key command output is “AWS”, the encryption key manager is Amazon Web Services and not the AWS customer, therefore the data on the selected Amazon FSx Windows File Server file system is encrypted using the default master key (i.e. aws/fsx key) instead of a customer-managed Customer Master Key (CMK).
7. Repeat step no. 3–6 to determine the encryption configuration for other Windows File Server file systems available in the selected region.
8. Change the AWS region by updating the — region command parameter value and repeat step no. 1–7 to perform the entire process for other regions.
Using AWS CLI
- Define the access policy that enables your selected IAM users and/or roles to manage the new KMS Customer Master Key and to encrypt/decrypt FSx file system data using the AWS KMS API. Create a new policy document called fsx-cmk-policy.json and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Version": "2012-10-17",
"Id": "fsx-file-system-custom-key-policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Grant access to CMK manager",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/AmazonFSxManager"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow the use of the CMK",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/FSxAdmin"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/FSxAdmin"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}2. Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. fsx-cmk-policy.json) as a command parameter to create the new AWS KMS Customer Master Key:
aws kms create-key
--region us-east-1
--description 'KMS CMK for encrypting AWS FSx file systems data.'
--policy file://fsx-cmk-policy.json3. The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value — highlighted) as this information will be required later when you need to specify the key required for FSx data encryption:
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "abcdabcd-1234-1234-1234-abcd1234abcd",
"Description": "KMS CMK for encrypting AWS FSx file systems data."
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1517238466.120,
"Arn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd",
"AWSAccountId": "123456789012"
}
}4. Run the create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix “alias/” (the command does not produce an output):
aws kms create-alias
--region us-east-1
--alias-name alias/FSxCustomCMK
--target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd5. Run describe-file-systems command (OSX/Linux/UNIX) using the ID of the file system that you want to re-create as an identifier (see Audit section part II to identify the right resource) to return the configuration metadata for the specified Amazon FSx Windows File Server file system:
aws fsx describe-file-systems
--region us-east-1
--file-system-ids fx-012341234123412346. The command output should return the requested file system metadata:
{
"FileSystems": [
{
"FileSystemId": "fx-01234123412341234",
"FileSystemType": "WINDOWS"
"VpcId": "vpc-abcdabcd", ...
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-abcd1234abcd"
"Region": "us-east-1",
"OwnerId": "123456789012",
}
]
}7. Run create-file-system command (OSX/Linux/UNIX) using the ARN of the newly created Customer Master Key (CMK) as value for the — kms-key-id parameter and the configuration information returned at the previous step to create a new and compliant Windows File Server file system:
aws fsx create-file-system
--region us-east-1
--file-system-type WINDOWS
--storage-capacity 1024
--subnet-ids subnet-abcd1234
--security-group-ids sg-012345678aabbccdd
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd
--windows-configuration ActiveDirectoryId="d-abcabcabc01",ThroughputCapacity=16,AutomaticBackupRetentionDays=7,CopyTagsToBackups=true8. The command output should return the new AWS FSx file system metadata:
{
"FileSystems": [
{
"FileSystemId": "fx-0abcd1234abcd1234",
"FileSystemType": "WINDOWS"
"VpcId": "vpc-abcdabcd", ...
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-1234-1234-abcd1234abcd"
"Region": "us-east-1",
"OwnerId": "123456789012",
}
]
}9. After the Amazon FSx file system is created, you can unmount the non-compliant file system and mount the new file system to your Windows–based EC2 instance joined to your AWS Directory Service directory.
10. Repeat step no. 5–9 to configure encryption at rest using KMS Customer Master Keys (CMKs) for other Amazon FSx Windows File Server file systems available in the current region.
11. Change the AWS region by updating the — region command parameter value and repeat step no. 1–10 to perform the entire process for other regions.
👋 Join us today !!
️Follow us on LinkedIn, Twitter, Facebook, and Instagram
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
