Storage Gateway File Shares Should Use KMS Customer Managed Keys

Overview

This check verifies that AWS Storage Gateway file shares use AWS KMS Customer Master Keys (CMKs) for encrypting data stored in Amazon S3. Storage Gateway file shares are file system mount points backed by S3 cloud storage, and using customer-managed keys gives you fine-grained control over encryption and decryption.

Risk

Without customer-managed KMS keys, you have limited control over your encryption:

• Reduced key governance: You cannot define custom key policies or restrict access to specific principals
• No key rotation control: AWS-managed keys follow AWS's rotation schedule, not yours
• Limited audit visibility: Harder to track who accessed or used the encryption keys
• Compliance gaps: Some regulations require customer-controlled encryption keys

Using CMKs allows you to revoke access, enforce separation of duties, and meet compliance requirements that mandate customer-controlled encryption.

Remediation Steps

Prerequisites

You need:

• Permission to modify Storage Gateway file shares
• A KMS key you want to use (or permission to create one)
• The file share ARN for the affected file share

How to find your file share ARN

1. Open the Storage Gateway console
2. Click File shares in the left navigation
3. Select your file share
4. The ARN is displayed in the Details section

Or via CLI:

aws storagegateway list-file-shares --region us-east-1

AWS Console Method

1. Open the AWS Storage Gateway console at https://console.aws.amazon.com/storagegateway
2. In the left navigation, click File shares
3. Select the file share you want to update
4. Click Edit
5. In the Encryption section, select AWS KMS key
6. Choose your customer-managed KMS key from the dropdown, or paste its ARN
7. Click Save

The file share will update to use your CMK for encrypting new objects stored in S3.

AWS CLI (optional)

For NFS file shares:

aws storagegateway update-nfs-file-share \
  --file-share-arn <your-file-share-arn> \
  --encryption-type SseKms \
  --kms-encrypted \
  --kms-key <your-kms-key-arn> \
  --region us-east-1

For SMB file shares:

aws storagegateway update-smb-file-share \
  --file-share-arn <your-file-share-arn> \
  --encryption-type SseKms \
  --kms-encrypted \
  --kms-key <your-kms-key-arn> \
  --region us-east-1

Replace:

• <your-file-share-arn> with your file share ARN (e.g., arn:aws:storagegateway:us-east-1:123456789012:share/share-ABCD1234)
• <your-kms-key-arn> with your KMS key ARN (e.g., arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012)

Using dual-layer encryption (DSSE-KMS) for enhanced security:

aws storagegateway update-nfs-file-share \
  --file-share-arn <your-file-share-arn> \
  --encryption-type DsseKms \
  --kms-encrypted \
  --kms-key <your-kms-key-arn> \
  --region us-east-1

CloudFormation (optional)

Use this template to create a new NFS file share with KMS encryption:

AWSTemplateFormatVersion: '2010-09-09'
Description: Storage Gateway NFS file share with CMK encryption

Parameters:
  GatewayArn:
    Type: String
    Description: ARN of the Storage Gateway

  BucketArn:
    Type: String
    Description: ARN of the S3 bucket for the file share

  RoleArn:
    Type: String
    Description: ARN of the IAM role for the file share

  KMSKeyArn:
    Type: String
    Description: ARN of the KMS key for encryption

  ClientList:
    Type: CommaDelimitedList
    Description: List of allowed NFS clients (CIDR notation)
    Default: "10.0.0.0/8"

Resources:
  EncryptedNFSFileShare:
    Type: AWS::StorageGateway::NFSFileShare
    Properties:
      GatewayARN: !Ref GatewayArn
      LocationARN: !Ref BucketArn
      Role: !Ref RoleArn
      ClientList: !Ref ClientList
      KMSEncrypted: true
      KMSKey: !Ref KMSKeyArn
      DefaultStorageClass: S3_STANDARD
      ObjectACL: private
      Squash: RootSquash

Outputs:
  FileShareArn:
    Description: ARN of the encrypted file share
    Value: !Ref EncryptedNFSFileShare

For SMB file shares, use AWS::StorageGateway::SMBFileShare with the same encryption properties.

Terraform (optional)

resource "aws_kms_key" "storage_gateway_key" {
  description             = "KMS key for Storage Gateway file share encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true

  tags = {
    Name = "storage-gateway-key"
  }
}

resource "aws_kms_alias" "storage_gateway_key_alias" {
  name          = "alias/storage-gateway-key"
  target_key_id = aws_kms_key.storage_gateway_key.key_id
}

resource "aws_storagegateway_nfs_file_share" "encrypted_share" {
  client_list     = ["10.0.0.0/8"]
  gateway_arn     = aws_storagegateway_gateway.example.arn
  location_arn    = aws_s3_bucket.example.arn
  role_arn        = aws_iam_role.example.arn
  kms_encrypted   = true
  kms_key_arn     = aws_kms_key.storage_gateway_key.arn

  default_storage_class = "S3_STANDARD"
  squash                = "RootSquash"

  tags = {
    Environment = "production"
  }
}

For SMB file shares:

resource "aws_storagegateway_smb_file_share" "encrypted_share" {
  gateway_arn  = aws_storagegateway_gateway.example.arn
  location_arn = aws_s3_bucket.example.arn
  role_arn     = aws_iam_role.example.arn
  kms_encrypted = true
  kms_key_arn   = aws_kms_key.storage_gateway_key.arn

  default_storage_class = "S3_STANDARD"

  tags = {
    Environment = "production"
  }
}

Verification

After updating the file share, confirm the encryption is active:

1. Open the Storage Gateway console
2. Click File shares in the left navigation
3. Select your file share
4. In the Details section, verify:
   • Encryption shows SSE-KMS (or DSSE-KMS)
   • KMS key displays your customer-managed key ARN

CLI verification

For NFS file shares:

aws storagegateway describe-nfs-file-shares \
  --file-share-arn-list <your-file-share-arn> \
  --region us-east-1 \
  --query 'NFSFileShareInfoList[0].{KMSEncrypted:KMSEncrypted,KMSKey:KMSKey,EncryptionType:EncryptionType}'

For SMB file shares:

aws storagegateway describe-smb-file-shares \
  --file-share-arn-list <your-file-share-arn> \
  --region us-east-1 \
  --query 'SMBFileShareInfoList[0].{KMSEncrypted:KMSEncrypted,KMSKey:KMSKey,EncryptionType:EncryptionType}'

Expected output should show:

• KMSEncrypted: true
• KMSKey: Your KMS key ARN
• EncryptionType: SseKms or DsseKms

Additional Resources

• AWS Documentation: Encrypting Data in File Shares
• AWS Documentation: Working with File Shares
• AWS KMS Developer Guide
• Prowler Check Documentation

Notes

• Existing objects not re-encrypted: Changing the encryption setting only affects new objects. Existing objects in S3 retain their original encryption. To re-encrypt existing data, you must copy the files.
• Key permissions required: The Storage Gateway IAM role needs kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey permissions on the CMK.
• Cost considerations: Using customer-managed KMS keys incurs standard KMS charges for key usage and API calls.
• Dual-layer encryption: For highly sensitive workloads, consider using DsseKms (dual-layer server-side encryption) for an additional layer of protection.
• File share type matters: NFS and SMB file shares use different CLI commands and CloudFormation resources, but the encryption options are the same.