AWS fsx documentation change
Summary
Expanded encryption documentation to explicitly include backups in encryption-at-rest processes
Security assessment
Adds details about backup encryption and KMS integration for backups, enhancing security documentation without addressing a specific vulnerability
Diff
diff --git a/fsx/latest/ONTAPGuide/encryption-at-rest.md b/fsx/latest/ONTAPGuide/encryption-at-rest.md index aa9436100..265a9be34 100644 --- a/fsx/latest/ONTAPGuide/encryption-at-rest.md +++ b/fsx/latest/ONTAPGuide/encryption-at-rest.md @@ -9 +9 @@ How Amazon FSx uses AWS KMSAmazon FSx key policies for AWS KMS -All Amazon FSx for NetApp ONTAP file systems are encrypted at rest with keys managed using AWS Key Management Service (AWS KMS). Data is automatically encrypted before being written to the file system, and automatically decrypted as it is read. These processes are handled transparently by Amazon FSx, so you don't have to modify your applications. +All Amazon FSx for NetApp ONTAP file systems and backups are encrypted at rest with keys managed using AWS Key Management Service (AWS KMS). Data is automatically encrypted before being written to the file system, and automatically decrypted as it is read. All backups are automatically encrypted at creation, and automatically decrypted when the backup is restored to a new volume. These processes are handled transparently by Amazon FSx, so you don't have to modify your applications. @@ -19 +19 @@ The AWS key management infrastructure uses Federal Information Processing Standa -Amazon FSx integrates with AWS KMS for key management. Amazon FSx uses KMS keys to encrypt your file system. You choose the KMS key used to encrypt and decrypt file systems (both data and metadata). You can enable, disable, or revoke grants on this KMS key. This KMS key can be one of the two following types: +Amazon FSx integrates with AWS KMS for key management. Amazon FSx uses KMS keys to encrypt your file system and any volume backups. You choose the KMS key used to encrypt and decrypt file systems and volume backups (both data and metadata). You can enable, disable, or revoke grants on this KMS key. This KMS key can be one of the two following types: @@ -36 +36 @@ If you use a customer-managed KMS key as your KMS key for file data encryption a -Key policies are the primary way to control access to KMS keys. For more information on key policies, see [Using key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the _AWS Key Management Service Developer Guide._ The following list describes all the AWS KMS-related permissions supported by Amazon FSx for encrypted at rest file systems: +Key policies are the primary way to control access to KMS keys. For more information on key policies, see [Using key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the _AWS Key Management Service Developer Guide._ The following list describes all the AWS KMS-related permissions supported by Amazon FSx for encrypted at rest file systems and backups: