---
title: EFS volume with disabled transit encryption
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > EFS volume with disabled transit encryption
---

# EFS volume with disabled transit encryption

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-efs-volume-with-disabled-transit-encryption` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** Medium

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html)

### Description{% #description %}

Amazon ECS task definitions that mount Amazon EFS volumes must enable in-transit encryption to protect data transmitted between containers and the file system from interception or tampering.

In CloudFormation, the `AWS::ECS::TaskDefinition` resource's `Properties.volumes[*].efsVolumeConfiguration.TransitEncryption` property must be defined and set to `ENABLED`. Resources missing this property or with `TransitEncryption` set to any value other than `ENABLED` will be flagged.

Secure example:

```yaml
MyTaskDefinition:
  Type: AWS::ECS::TaskDefinition
  Properties:
    Family: my-task
    ContainerDefinitions: []
    Volumes:
      - Name: MyEfsVolume
        EFSVolumeConfiguration:
          FileSystemId: fs-0123456789abcdef0
          TransitEncryption: ENABLED
```