By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CMK Key Policy and FSx Windows Self Managed

0

Trying to understand the role a CMK can play in protecting data. Obviously one layer of protection is the ACLs we use to lock down folders on our FSx share by allowing only certain AD users/groups read, write permissions etc.

What role does the CMK key play? Can a policy on that key for that file system add a second layer, disallowing some AD users (federated roles) to decrypt etc. ? My initial testing with a CMK key policy on an FSx file system doesn't seem to bear this out. Hope my question makes sense.

Thanks

Topics
Security, Identity, & ComplianceStorage
Tags
AWS Key Management ServiceAmazon FSx for Windows File Server
Language
English
DonPedro
asked 2 years ago395 views
1 Answer
0

Hi,

ACLs and CMKs address two different aspects of security. ACLs provide access control, to say who can do what actions on the given resource.

Key Management and CMKs are used for encryption of data at rest. Which means, even if someone has access to the data, can they still make sense of it. Encryption happens at two different layers, AWS service layer and the user layer. Services like EBS, S3 can use KMS keys for encryption of data that is being written into the service. So, even if someone did accidentally have access to the physical media, they'd still not be able to decipher it. However, as a user, the encryption would be transparent to you as the service would decrypt the data before returning it to you.

You can also use CMKs for client side encryption. In this case, you encrypt the data before you write it to the service. So, let's say, you use KMS to encrypt some fields before writing them to a database row. In this case, the database administrator will not be able to read the data. This is often a requirement for workloads with regulatory requirements. You could further use IAM policies to control access to the KMS APIs to decide which user/role is allowed to do the encryption/decryption operation. In this case, if an application is running in EC2, you can use instance roles to grant permissions to the code to invoke the KMS APIs.

Hope that helps!

AWS
Tushar A
answered 2 years ago
  • DonPedro
    2 years ago

    Thank you for the response but that doesn't answer my question so let me rephrase it. We currently have Symantec Encryption Server on premise and we protect our Windows file server data with ACLs and keys. The user logins into their machine and their AD account allows the keys to download from the Symantec server so they can open and decrypt files. It's a transparent process for the user. But if they have ACLs for a folder but don't have the corresponding key they will open files and see cypher (encrypted) text and it will be useless. So they need both ACL and folder/file key to read encrypted data.

    Sounds like FSx with CMK doesn't work the same way ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content