EFS without KMS

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > EFS without KMS

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: bd77554e-f138-40c5-91b2-2a09f878608e

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Encryption

Learn More

Provider Reference

Description

EFS filesystems should be encrypted with a customer-managed AWS KMS CMK to protect data at rest and maintain control over key rotation, access policies, and audit logging.

In Ansible, the kms_key_id option on the community.aws.efs (or legacy efs) module must be defined and set to a customer-managed key identifier (KMS key ID, key ARN, or alias) rather than relying on the AWS-managed key. Tasks that omit kms_key_id or leave it undefined default to an AWS-managed key and are flagged by this rule.

Secure configuration example:

- name: Create encrypted EFS filesystem
  community.aws.efs:
    name: my-efs
    performance_mode: generalPurpose
    kms_key_id: arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890
    state: present

Compliant Code Examples

- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: yes
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]
    kms_key_id: "some-key-id"

Non-Compliant Code Examples

---
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: no
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]