Amazon FSx for Windows file systems are not encrypted using a customer-managed KMS key Affecting FSx service in AWS

Severity Framework Snyk CCSS

Rule category Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00730
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Although FSx for Windows file systems are encrypted by default with AWS-managed keys, customer-managed keys provide full control over access and administration policies and key rotation which may help meet compliance and security requirements.

How to fix?

Set the kms_key_id attribute in aws_fsx_windows_file_system resource to a valid key_arn.

Example Configuration

resource "aws_fsx_windows_file_system" "allow1" {
  active_directory_id = aws_directory_service_directory.rule-730.id
  subnet_ids          = [data.aws_subnet.subnet-1.id]
  throughput_capacity = 1024
  kms_key_id          = data.aws_kms_key.custom_key.arn
  storage_capacity    = 1200
}

Terraform

aws_fsx_windows_file_system

References

Encryption at Rest