Best practices

FSx Windows file system without CMK

Risk Level

Informational (4)



FSx for Windows File Server is a fully managed Windows File System that can be used to move Windows-based applications that require file storage to AWS cloud. By default, your Amazon FSx data is encrypted at rest using an AWS-managed key. However, you have the option to configure your Windows File Server file system for: '{AwsFsxFileSystem}' to encrypt data using customer-managed keys. Only CMKs give you the ability to fully manage your encryption keys, including policies, encryption rotation, access, tags and more.
  • Recommended Mitigation

    Ensure that Amazon FSx for Windows File Server file systems are using AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys for data encryption, in order to have a fine-grained control over data-at-rest encryption and decryption and meet compliance requirements. For more information visit: