Profile Applicability:

  • Level 1

Description:

AWS Storage Gateway provides hybrid cloud storage, enabling on-premises applications to connect to cloud storage. File Gateway is one of the types of Storage Gateway, which allows you to store and retrieve data from Amazon S3 using standard file protocols. KMS encryption helps protect your data at rest by encrypting file shares using a KMS Customer Master Key (CMK). This SOP ensures that AWS Storage Gateway File Shares are encrypted with KMS CMKs for securing sensitive data and ensuring compliance with security standards.

Rationale:

  • Data Protection: Encrypting file shares with a KMS CMK ensures that your data is protected from unauthorized access.

  • Compliance: Many regulatory frameworks require encryption of sensitive data at rest. KMS CMK ensures compliance with standards like HIPAA, PCI-DSS, and SOC 2.

  • Security: Encrypting file shares ensures that even if storage media is compromised, the data remains protected.

Impact:

Pros:

  • Enhanced Security: Data at rest is encrypted, providing an additional layer of security against unauthorized access.

  • Compliance: Helps meet security and regulatory requirements for data encryption.

  • Centralized Key Management: Using KMS CMK for encryption allows for easy management of encryption keys, ensuring proper access control.

Cons:

  • Cost: There are additional costs associated with KMS encryption, which may increase with the volume of data and number of encryption operations.

  • Performance Overhead: Encrypting and decrypting data incurs a slight performance overhead, although this is generally minimal with AWS-managed KMS.

Default Value:

By default, AWS Storage Gateway File Shares are not encrypted using KMS CMK. Encryption must be manually configured when setting up the file share.

Pre-requisite:

  • AWS IAM Permissions:

    • storagegateway:DescribeFileShares

    • storagegateway:DescribeGatewayInformation

    • kms:ListAliases

    • kms:DescribeKey

  • AWS CLI installed and configured.

  • Ensure that you have appropriate permissions to manage Storage Gateway file shares and KMS encryption.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Storage Gateway under Services.

  3. In the Storage Gateway Dashboard, go to File Shares.

  4. Select the File Share you want to check.

  5. In the File Share Details, check the Encryption section.

    • If KMS encryption is enabled, it will show "Encrypted" and will list the KMS CMK used for encryption.

    • If KMS encryption is not enabled, you will need to configure it during the file share creation or modification.

Using AWS CLI:

  1. To check if KMS CMK encryption is enabled for a Storage Gateway File Share, run the following command:

    aws storagegateway describe-file-shares --query 'FileShares[*].{FileShareId:FileShareId,Encrypted:Encrypted,KmsKeyId:KmsKeyId}'

  2. Review the output:

  • If Encrypted is true and KmsKeyId is provided, the file share is encrypted with KMS CMK.

  • If Encrypted is false or KmsKeyId is empty, encryption is not enabled.

  1. To enable KMS encryption for an existing File Share, follow the implementation steps to update the file share configuration.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Storage Gateway.

  2. In the Storage Gateway Dashboard, select File Shares and choose the file share you want to modify.

  3. Click Modify.

  4. In the Encryption section, select Enable Encryption using KMS CMK.

  5. Choose a KMS Key to encrypt the file share (or create a new one if necessary).

  6. Save the changes.

Using AWS CLI:

  1. To enable KMS encryption for a Storage Gateway File Share, run the following command:

    aws storagegateway update-file-share --file-share-id <file-share-id> --kms-key-id <kms-key-id> --encryption-enabled

  2. Verify that encryption is enabled:

    aws storagegateway describe-file-shares --query 'FileShares[*].{FileShareId:FileShareId,Encrypted:Encrypted,KmsKeyId:KmsKeyId}'

Backout Plan:

Using AWS Console:

  1. If enabling KMS encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to Storage Gateway, select the File Share, and go to the File Share Details tab.

  3. Click Edit and disable KMS encryption or change to a different encryption key if needed.

  4. Save the changes and verify that encryption is either disabled or reconfigured.

Using AWS CLI:

  1. To disable KMS encryption, run:

    aws storagegateway update-file-share --file-share-arn <FILE_SHARE_ARN> --kms-encryption-key ""

  2. Verify that the KMS encryption has been disabled by running:

    aws storagegateway describe-file-shares --file-share-arn <FILE_SHARE_ARN>


References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.