For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-efs-not-encrypted.md.
A documentation index is available at /llms.txt.
Amazon EFS file systems must have encryption enabled to protect data at rest. Without encryption, file data, backups, and snapshots can be exposed if storage media or underlying infrastructure is compromised.
For AWS::EFS::FileSystem resources, the Properties.Encrypted property must be set to true. This rule flags resources with Encrypted set to false. To ensure encryption is always applied, explicitly set Encrypted to true and optionally specify KmsKeyId to use a customer-managed AWS KMS key.
AWSTemplateFormatVersion:"2010-09-09"Description:"Create EFS system and Mount Targets for test VPC"Parameters:VPC:Type:StringDescription:The VPC identityDefault:vpc-IDSubnetID1:Type:StringDescription:The subnet where to launch the serviceDefault:subnet-IDSubnetID2:Type:StringDescription:the subnet where to Launch the serviceDefault:subnet-IDSubnetID3:Type:StringDescription:The subnet where to launch the serviceDefault:subnet-IDSubnetID4:Type:StringDescription:the subnet where to Launch the serviceDefault:subnet-IDResources:EFSSecurityGroup:Type:"AWS::EC2::SecurityGroup"Properties:GroupDescription:"security group for the prod EFS"GroupName:"test-EFS-SG"VpcId:!Ref VPCSecurityGroupIngress:- SourceSecurityGroupId:sg-IDDescription:"servers to connect to efs"FromPort:2049IpProtocol:"tcp"ToPort:2049Tags:- Key:EnvironmentValue:prod- Key:NameValue:test-VPC-EFS-SG- Key:ProjectValue:ITEngineeringEFSFileSystem:Type:AWS::EFS::FileSystemProperties:BackupPolicy:Status:ENABLEDEncrypted:trueLifecyclePolicies:- TransitionToIA:AFTER_60_DAYSPerformanceMode:generalPurposeThroughputMode:burstingFileSystemTags:- Key:EnvironmentValue:prod- Key:NameValue:test-VPC-EFS- Key:ProjectValue:ITEngineeringMountTarget1:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystemIpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID1MountTarget2:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystemIpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID2MountTarget3:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystemIpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID3MountTarget4:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystemIpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID4Outputs:EFS:Description:The created EFSValue:!Ref EFSFileSystemEFSMountTarget1:Description:The EFS MountTarget1Value:!Ref MountTarget1EFSMountTarget2:Description:The EFS MountTarget2Value:!Ref MountTarget2EFSMountTarget3:Description:The EFS MountTarget3Value:!Ref MountTarget3EFSMountTarget4:Description:The EFS MountTarget4Value:!Ref MountTarget4
{"Resources":{"EFSFileSystem":{"Type":"AWS::EFS::FileSystem","Properties":{"BackupPolicy":{"Status":"ENABLED"},"Encrypted":true,"LifecyclePolicies":[{"TransitionToIA":"AFTER_60_DAYS"}],"PerformanceMode":"generalPurpose","ThroughputMode":"bursting","FileSystemTags":[{"Value":"prod","Key":"Environment"},{"Key":"Name","Value":"test-VPC-EFS"},{"Key":"Project","Value":"ITEngineering"}]}},"MountTarget1":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID1"}},"MountTarget2":{"Type":"AWS::EFS::MountTarget","Properties":{"IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID2","FileSystemId":"EFSFileSystem"}},"MountTarget3":{"Properties":{"IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID3","FileSystemId":"EFSFileSystem"},"Type":"AWS::EFS::MountTarget"},"MountTarget4":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID4"}},"EFSSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"security group for the prod EFS","GroupName":"test-EFS-SG","VpcId":"VPC","SecurityGroupIngress":[{"IpProtocol":"tcp","ToPort":2049,"SourceSecurityGroupId":"sg-ID","Description":"servers to connect to efs","FromPort":2049}],"Tags":[{"Key":"Environment","Value":"prod"},{"Key":"Name","Value":"test-VPC-EFS-SG"},{"Key":"Project","Value":"ITEngineering"}]}}},"Outputs":{"EFSMountTarget2":{"Value":"MountTarget2","Description":"The EFS MountTarget2"},"EFSMountTarget3":{"Description":"The EFS MountTarget3","Value":"MountTarget3"},"EFSMountTarget4":{"Description":"The EFS MountTarget4","Value":"MountTarget4"},"EFS":{"Description":"The created EFS","Value":"EFSFileSystem"},"EFSMountTarget1":{"Description":"The EFS MountTarget1","Value":"MountTarget1"}},"AWSTemplateFormatVersion":"2010-09-09","Description":"Create EFS system and Mount Targets for test VPC","Parameters":{"VPC":{"Type":"String","Description":"The VPC identity","Default":"vpc-ID"},"SubnetID1":{"Default":"subnet-ID","Type":"String","Description":"The subnet where to launch the service"},"SubnetID2":{"Type":"String","Description":"the subnet where to Launch the service","Default":"subnet-ID"},"SubnetID3":{"Type":"String","Description":"The subnet where to launch the service","Default":"subnet-ID"},"SubnetID4":{"Type":"String","Description":"the subnet where to Launch the service","Default":"subnet-ID"}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Description:"Create EFS system and Mount Targets for test VPC"Parameters:VPC:Type:StringDescription:The VPC identityDefault:vpc-IDSubnetID1:Type:StringDescription:The subnet where to launch the serviceDefault:subnet-IDSubnetID2:Type:StringDescription:the subnet where to Launch the serviceDefault:subnet-IDSubnetID3:Type:StringDescription:The subnet where to launch the serviceDefault:subnet-IDSubnetID4:Type:StringDescription:the subnet where to Launch the serviceDefault:subnet-IDResources:EFSSecurityGroup:Type:"AWS::EC2::SecurityGroup"Properties:GroupDescription:"security group for the prod EFS"GroupName:"test-EFS-SG"VpcId:!Ref VPCSecurityGroupIngress:- SourceSecurityGroupId:sg-IDDescription:"servers to connect to efs"FromPort:2049IpProtocol:"tcp"ToPort:2049Tags:- Key:EnvironmentValue:prod- Key:NameValue:test-VPC-EFS-SG- Key:ProjectValue:ITEngineeringEFSFileSystem01:Type:AWS::EFS::FileSystemProperties:BackupPolicy:Status:ENABLEDEncrypted:falseLifecyclePolicies:- TransitionToIA:AFTER_60_DAYSPerformanceMode:generalPurposeThroughputMode:burstingFileSystemTags:- Key:EnvironmentValue:prod- Key:NameValue:test-VPC-EFS- Key:ProjectValue:ITEngineeringMountTarget1:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID1MountTarget2:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID2MountTarget3:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID3MountTarget4:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID4Outputs:EFS:Description:The created EFSValue:!Ref EFSFileSystem01EFSMountTarget1:Description:The EFS MountTarget1Value:!Ref MountTarget1EFSMountTarget2:Description:The EFS MountTarget2Value:!Ref MountTarget2EFSMountTarget3:Description:The EFS MountTarget3Value:!Ref MountTarget3EFSMountTarget4:Description:The EFS MountTarget4Value:!Ref MountTarget4
{"Description":"Create EFS system and Mount Targets for test VPC","Parameters":{"VPC":{"Type":"String","Description":"The VPC identity","Default":"vpc-ID"},"SubnetID1":{"Description":"The subnet where to launch the service","Default":"subnet-ID","Type":"String"},"SubnetID2":{"Type":"String","Description":"the subnet where to Launch the service","Default":"subnet-ID"},"SubnetID3":{"Default":"subnet-ID","Type":"String","Description":"The subnet where to launch the service"},"SubnetID4":{"Description":"the subnet where to Launch the service","Default":"subnet-ID","Type":"String"}},"Resources":{"MountTarget3":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID3"}},"MountTarget4":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID4"}},"EFSSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"security group for the prod EFS","GroupName":"test-EFS-SG","VpcId":"VPC","SecurityGroupIngress":[{"ToPort":2049,"SourceSecurityGroupId":"sg-ID","Description":"servers to connect to efs","FromPort":2049,"IpProtocol":"tcp"}],"Tags":[{"Key":"Environment","Value":"prod"},{"Key":"Name","Value":"test-VPC-EFS-SG"},{"Key":"Project","Value":"ITEngineering"}]}},"EFSFileSystem01":{"Type":"AWS::EFS::FileSystem","Properties":{"BackupPolicy":{"Status":"ENABLED"},"Encrypted":false,"LifecyclePolicies":[{"TransitionToIA":"AFTER_60_DAYS"}],"PerformanceMode":"generalPurpose","ThroughputMode":"bursting","FileSystemTags":[{"Value":"prod","Key":"Environment"},{"Key":"Name","Value":"test-VPC-EFS"},{"Key":"Project","Value":"ITEngineering"}]}},"MountTarget1":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID1"}},"MountTarget2":{"Type":"AWS::EFS::MountTarget","Properties":{"SubnetId":"SubnetID2","FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"]}}},"Outputs":{"EFS":{"Description":"The created EFS","Value":"EFSFileSystem01"},"EFSMountTarget1":{"Description":"The EFS MountTarget1","Value":"MountTarget1"},"EFSMountTarget2":{"Description":"The EFS MountTarget2","Value":"MountTarget2"},"EFSMountTarget3":{"Description":"The EFS MountTarget3","Value":"MountTarget3"},"EFSMountTarget4":{"Value":"MountTarget4","Description":"The EFS MountTarget4"}},"AWSTemplateFormatVersion":"2010-09-09"}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
