---
title: EFS not encrypted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > EFS not encrypted
---

# EFS not encrypted

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `727c4fd4-d604-4df6-a179-7713d3c85e20`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-encrypt)

### Description{% #description %}

EFS file systems must have encryption enabled to protect data at rest and prevent exposure of file system contents, snapshots, and backups if storage media is compromised. For Ansible tasks using the `community.aws.efs` or `efs` modules, the `encrypt` property must be defined and set to `true`. Resources that omit `encrypt` or have `encrypt: false` are flagged as misconfigured.

Secure example:

```yaml
- name: Create encrypted EFS filesystem
  community.aws.efs:
    name: my-efs
    encrypt: true
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: yes
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]
- name: foo2
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: true
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: no
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]
- name: foo2
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: false
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]
- name: foo3
  community.aws.efs:
    state: present
    name: myTestEFS
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]
```