Storage Gateway file share is encrypted with KMS CMK
storagegateway_fileshare_encryption_enabled
Storage Gateway file shares configured with customer-managed KMS keys (CMKs) for server-side encryption of objects written to S3.
File shares without an explicit KMS key (e.g., SSE-KMS or DSSE-KMS) are identified.
Risk
Without CMEK, encryption relies on provider-managed keys, reducing control over who can decrypt and when. This weakens confidentiality by limiting key-policy enforcement, revocation, and auditable key use, increasing exposure from stolen S3 credentials or overly permissive roles.
prowler aws --checks storagegateway_fileshare_encryption_enabled
Recommendation
Use a customer-managed KMS key for each file share's server-side encryption (SSE-KMS; consider DSSE-KMS for multilayer needs). Apply least privilege and separation of duties to key access, rotate keys, monitor key usage, and restrict scope to necessary principals and regions.
Remediation
aws storagegateway update-nfs-file-share --file-share-arn <example_resource_arn> --kms-encrypted --kms-key <example_kms_key_arn>
- In the AWS Console, go to Storage Gateway > File shares
- Select the affected file share and click Edit
- Under Encryption, choose AWS KMS key
- Select the CMK to use (or paste its ARN)
- Save changes
Source Code
Resource Type
Other