Posted On: Sep 16, 2020
You can now use Amazon Identity and Access Management (Amazon IAM) identity-based policies to enforce encryption of data at rest for your Amazon Elastic File System (Amazon EFS) file system resources. Using an IAM condition key, you can prevent users from creating EFS file systems that aren’t encrypted. Central security administrators can also define service control policies (SCPs) inside Amazon Organizations to enforce EFS encryption for all Amazon Web Services accounts in their organization.
This capability complements enforcing encryption of data in transit using file system policies, IAM Authorization for NFS clients, and EFS Access Points as tools to manage access to your EFS resources at scale. Enforcing encryption of data at rest is available in the Amazon Web Services China (Beijing) region, operated by Sinnet and the Amazon Web Services China (Ningxia) region, operated by NWCD, at no additional charge. To get started, see the Amazon EFS User Guide.