diff --git a/aws/data_source_aws_efs_file_system.go b/aws/data_source_aws_efs_file_system.go
index 014ae135363..25566df4e52 100644
--- a/aws/data_source_aws_efs_file_system.go
+++ b/aws/data_source_aws_efs_file_system.go
@@ -22,12 +22,20 @@ func dataSourceAwsEfsFileSystem() *schema.Resource {
 				ForceNew:     true,
 				ValidateFunc: validateMaxLength(64),
 			},
+			"encrypted": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
 			"file_system_id": {
 				Type:     schema.TypeString,
 				Optional: true,
 				Computed: true,
 				ForceNew: true,
 			},
+			"kms_key_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"performance_mode": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -108,6 +116,8 @@ func dataSourceAwsEfsFileSystemRead(d *schema.ResourceData, meta interface{}) er
 	d.Set("creation_token", fs.CreationToken)
 	d.Set("performance_mode", fs.PerformanceMode)
 	d.Set("file_system_id", fs.FileSystemId)
+	d.Set("encrypted", fs.Encrypted)
+	d.Set("kms_key_id", fs.KmsKeyId)
 
 	return nil
 }
diff --git a/aws/resource_aws_efs_file_system.go b/aws/resource_aws_efs_file_system.go
index 445242d4d28..a0f5a59b6fd 100644
--- a/aws/resource_aws_efs_file_system.go
+++ b/aws/resource_aws_efs_file_system.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"errors"
 	"fmt"
 	"log"
 	"time"
@@ -48,6 +49,21 @@ func resourceAwsEfsFileSystem() *schema.Resource {
 				ValidateFunc: validatePerformanceModeType,
 			},
 
+			"encrypted": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+			},
+
+			"kms_key_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ForceNew:     true,
+				ValidateFunc: validateArn,
+			},
+
 			"tags": tagsSchema(),
 		},
 	}
@@ -76,6 +92,21 @@ func resourceAwsEfsFileSystemCreate(d *schema.ResourceData, meta interface{}) er
 		createOpts.PerformanceMode = aws.String(v.(string))
 	}
 
+	encrypted, hasEncrypted := d.GetOk("encrypted")
+	kmsKeyId, hasKmsKeyId := d.GetOk("kms_key_id")
+
+	if hasEncrypted {
+		createOpts.Encrypted = aws.Bool(encrypted.(bool))
+	}
+
+	if hasKmsKeyId {
+		createOpts.KmsKeyId = aws.String(kmsKeyId.(string))
+	}
+
+	if encrypted == false && hasKmsKeyId {
+		return errors.New("encrypted must be set to true when kms_key_id is specified")
+	}
+
 	log.Printf("[DEBUG] EFS file system create options: %#v", *createOpts)
 	fs, err := conn.CreateFileSystem(createOpts)
 	if err != nil {
@@ -196,6 +227,8 @@ func resourceAwsEfsFileSystemRead(d *schema.ResourceData, meta interface{}) erro
 
 	d.Set("creation_token", fs.CreationToken)
 	d.Set("performance_mode", fs.PerformanceMode)
+	d.Set("encrypted", fs.Encrypted)
+	d.Set("kms_key_id", fs.KmsKeyId)
 
 	return nil
 }
diff --git a/aws/resource_aws_efs_file_system_test.go b/aws/resource_aws_efs_file_system_test.go
index 93119bb7974..c003fd79257 100644
--- a/aws/resource_aws_efs_file_system_test.go
+++ b/aws/resource_aws_efs_file_system_test.go
@@ -3,6 +3,7 @@ package aws
 import (
 	"fmt"
 	"reflect"
+	"regexp"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -170,6 +171,41 @@ func TestAccAWSEFSFileSystem_pagedTags(t *testing.T) {
 	})
 }
 
+func TestAccAWSEFSFileSystem_kmsKey(t *testing.T) {
+	rInt := acctest.RandInt()
+	keyRegex := regexp.MustCompile("^arn:aws:([a-zA-Z0-9\\-])+:([a-z]{2}-[a-z]+-\\d{1})?:(\\d{12})?:(.*)$")
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckEfsFileSystemDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSEFSFileSystemConfigWithKmsKey(rInt),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestMatchResourceAttr("aws_efs_file_system.foo-with-kms", "kms_key_id", keyRegex),
+					resource.TestCheckResourceAttr("aws_efs_file_system.foo-with-kms", "encrypted", "true"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSEFSFileSystem_kmsConfigurationWithoutEncryption(t *testing.T) {
+	rInt := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckEfsFileSystemDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccAWSEFSFileSystemConfigWithKmsKeyNoEncryption(rInt),
+				ExpectError: regexp.MustCompile(`encrypted must be set to true when kms_key_id is specified`),
+			},
+		},
+	})
+}
+
 func testAccCheckEfsFileSystemDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).efsconn
 	for _, rs := range s.RootModule().Resources {
@@ -351,3 +387,29 @@ resource "aws_efs_file_system" "foo-with-performance-mode" {
 	performance_mode = "maxIO"
 }
 `
+
+func testAccAWSEFSFileSystemConfigWithKmsKey(rInt int) string {
+	return fmt.Sprintf(`
+resource "aws_kms_key" "foo" {
+  description = "Terraform acc test %d"
+}
+
+resource "aws_efs_file_system" "foo-with-kms" {
+  encrypted = true
+  kms_key_id = "${aws_kms_key.foo.arn}"
+}
+`, rInt)
+}
+
+func testAccAWSEFSFileSystemConfigWithKmsKeyNoEncryption(rInt int) string {
+	return fmt.Sprintf(`
+resource "aws_kms_key" "foo" {
+  description = "Terraform acc test %d"
+}
+
+resource "aws_efs_file_system" "foo-with-kms" {
+  encrypted = false
+  kms_key_id = "${aws_kms_key.foo.arn}"
+}
+`, rInt)
+}
diff --git a/website/docs/d/efs_file_system.html.markdown b/website/docs/d/efs_file_system.html.markdown
index 4441e01eb05..1a3fc70542a 100644
--- a/website/docs/d/efs_file_system.html.markdown
+++ b/website/docs/d/efs_file_system.html.markdown
@@ -28,7 +28,7 @@ data "aws_efs_file_system" "by_id" {
 The following arguments are supported:
 
 * `file_system_id` - (Optional) The ID that identifies the file system (e.g. fs-ccfc0d65).
-* `creation_token` - (Optional) Restricts the list to the file system with this creation token
+* `creation_token` - (Optional) Restricts the list to the file system with this creation token.
 
 ## Attributes Reference
 
@@ -36,4 +36,5 @@ The following attributes are exported:
 
 * `performance_mode` - The PerformanceMode of the file system.
 * `tags` - The list of tags assigned to the file system.
-
+* `encrypted` - Whether EFS is encrypted.
+* `kms_key_id` - The ARN for the KMS encryption key.
diff --git a/website/docs/r/efs_file_system.html.markdown b/website/docs/r/efs_file_system.html.markdown
index c65d1322d99..692b4eb72e7 100644
--- a/website/docs/r/efs_file_system.html.markdown
+++ b/website/docs/r/efs_file_system.html.markdown
@@ -39,12 +39,15 @@ default generated by Terraform.
 * `performance_mode` - (Optional) The file system performance mode. Can be either
 `"generalPurpose"` or `"maxIO"` (Default: `"generalPurpose"`).
 * `tags` - (Optional) A mapping of tags to assign to the file system.
+* `encrypted` - (Optional) If true, the disk will be encrypted.
+* `kms_key_id` - (Optional) The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true.
 
 ## Attributes Reference
 
 The following attributes are exported:
 
 * `id` - The ID that identifies the file system (e.g. fs-ccfc0d65).
+* `kms_key_id` - The ARN for the KMS encryption key.
 
 ## Import