---
title: EFS without KMS
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > EFS without KMS
---

# EFS without KMS

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `bd77554e-f138-40c5-91b2-2a09f878608e`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Low

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id)

### Description{% #description %}

EFS filesystems should be encrypted with a customer-managed AWS KMS CMK to protect data at rest and maintain control over key rotation, access policies, and audit logging.

In Ansible, the `kms_key_id` option on the `community.aws.efs` (or legacy `efs`) module must be defined and set to a customer-managed key identifier (KMS key ID, key ARN, or alias) rather than relying on the AWS-managed key. Tasks that omit `kms_key_id` or leave it undefined default to an AWS-managed key and are flagged by this rule.

Secure configuration example:

```yaml
- name: Create encrypted EFS filesystem
  community.aws.efs:
    name: my-efs
    performance_mode: generalPurpose
    kms_key_id: arn:aws:kms:us-east-1:123456789012:key/abcdef12-3456-7890-abcd-ef1234567890
    state: present
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: yes
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
    - subnet_id: subnet-748c5d03
      security_groups: [sg-1a2b3c4d]
    kms_key_id: "some-key-id"
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: foo
  community.aws.efs:
    state: present
    name: myTestEFS
    encrypt: no
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: ["sg-1a2b3c4d"]
```