For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/efs_without_tags.md. A documentation index is available at /llms.txt.

EFS without tags

This product is not supported for your selected Datadog site. ().

Metadata

Id: b8a9852c-9943-4973-b8d5-77dae9352851

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Build Process

Learn More

Description

EFS filesystems must have tags defined to support asset identification, tag-based access control, cost allocation, and automated lifecycle or compliance policies. For Ansible tasks using the community.aws.efs or efs modules, the tags property must be present and contain at least one key/value pair. Tasks that omit the tags property or provide an empty mapping are flagged as missing required metadata.

Secure example:

- name: Create EFS filesystem
  community.aws.efs:
    state: present
    name: my-efs
    performance_mode: generalPurpose
    tags:
      Name: my-efs
      Environment: production

Compliant Code Examples

- name: EFS provisioning
  community.aws.efs:
    state: present
    name: myTestEFS
    tags:
      Name: myTestNameTag
      purpose: file-storage
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: [ "sg-1a2b3c4d" ]

Non-Compliant Code Examples

- name: EFS provisioning without tags
  community.aws.efs:
    state: present
    name: myTestEFS
    targets:
      - subnet_id: subnet-748c5d03
        security_groups: [ "sg-1a2b3c4d" ]