--- title: EFS without KMS description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > EFS without KMS --- # EFS without KMS {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-efs-without-kms` **Provider:** AWS **Platform:** CloudFormation **Severity:** Low **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html) ### Description{% #description %} Amazon EFS file systems must be encrypted at rest using an AWS KMS customer-managed key (CMK) to protect stored data from unauthorized access and to enable customer-controlled key rotation, access policies, and audit logging. In CloudFormation, ensure resources of type `AWS::EFS::FileSystem` have `Encrypted` set to `true` and specify `KmsKeyId` referencing a customer-managed AWS KMS key (ARN, alias, or `Ref` to an `AWS::KMS::Key`). Resources with `Encrypted` missing or set to `false`, or without a valid `KmsKeyId` that points to a customer-managed CMK, will be flagged. Secure configuration example: ```yaml MyEfs: Type: AWS::EFS::FileSystem Properties: Encrypted: true KmsKeyId: !Ref MyKmsKey MyKmsKey: Type: AWS::KMS::Key Properties: Description: "Customer-managed CMK for EFS encryption" ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: "2010-09-09" Description: "Create EFS system and Mount Targets for test VPC" Parameters: VPC: Type: String Description: The VPC identity Default: vpc-ID SubnetID1: Type: String Description: The subnet where to launch the service Default: subnet-ID SubnetID2: Type: String Description: the subnet where to Launch the service Default: subnet-ID SubnetID3: Type: String Description: The subnet where to launch the service Default: subnet-ID SubnetID4: Type: String Description: the subnet where to Launch the service Default: subnet-ID Resources: EFSKMSKey: Type: AWS::KMS::Key Properties: Description: "An example CMK with KMS" KeyPolicy: Version: "2012-10-17" Id: "efs-default-key1" Statement: - Sid: "Allow administration of the key" Effect: "Allow" Principal: AWS: "arn:aws:iam::999999999999:user/roger" Action: - "kms:Create*" - "kms:Describe*" - "kms:Enable*" - "kms:List*" - "kms:Put*" - "kms:Update*" - "kms:Revoke*" - "kms:Disable*" - "kms:Get*" - "kms:Delete*" - "kms:ScheduleKeyDeletion" - "kms:CancelKeyDeletion" Resource: "*" - Sid: "Allow use of the key" Effect: "Allow" Principal: AWS: "arn:aws:iam::999999999999:user/roger" Action: - "kms:DescribeKey" - "kms:Encrypt" - "kms:Decrypt" - "kms:ReEncrypt*" - "kms:GenerateDataKey" - "kms:GenerateDataKeyWithoutPlaintext" Resource: "*" EFSSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "security group for the prod EFS" GroupName: "test-EFS-SG" VpcId: !Ref VPC SecurityGroupIngress: - SourceSecurityGroupId: sg-ID Description: "servers to connect to efs" FromPort: 2049 IpProtocol: "tcp" ToPort: 2049 Tags: - Key: Environment Value: prod - Key: Name Value: test-VPC-EFS-SG - Key: Project Value: ITEngineering EFSFileSystem01: Type: AWS::EFS::FileSystem Properties: BackupPolicy: Status: ENABLED Encrypted: false KmsKeyId: !Ref EFSKMSKey LifecyclePolicies: - TransitionToIA: AFTER_60_DAYS PerformanceMode: generalPurpose ThroughputMode: bursting FileSystemTags: - Key: Environment Value: prod - Key: Name Value: test-VPC-EFS - Key: Project Value: ITEngineering MountTarget1: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID1 MountTarget2: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID2 MountTarget3: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID3 MountTarget4: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID4 Outputs: EFS: Description: The created EFS Value: !Ref EFSFileSystem01 EFSMountTarget1: Description: The EFS MountTarget1 Value: !Ref MountTarget1 EFSMountTarget2: Description: The EFS MountTarget2 Value: !Ref MountTarget2 EFSMountTarget3: Description: The EFS MountTarget3 Value: !Ref MountTarget3 EFSMountTarget4: Description: The EFS MountTarget4 Value: !Ref MountTarget4 ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: "2010-09-09" Description: "Create EFS system and Mount Targets for test VPC" Parameters: VPC: Type: String Description: The VPC identity Default: vpc-ID SubnetID1: Type: String Description: The subnet where to launch the service Default: subnet-ID SubnetID2: Type: String Description: the subnet where to Launch the service Default: subnet-ID SubnetID3: Type: String Description: The subnet where to launch the service Default: subnet-ID SubnetID4: Type: String Description: the subnet where to Launch the service Default: subnet-ID Resources: EFSKMSKey: Type: AWS::KMS::Key Properties: Description: "An example CMK with KMS" KeyPolicy: Version: "2012-10-17" Id: "efs-default-key1" Statement: - Sid: "Allow administration of the key" Effect: "Allow" Principal: AWS: "arn:aws:iam::999999999999:user/roger" Action: - "kms:Create*" - "kms:Describe*" - "kms:Enable*" - "kms:List*" - "kms:Put*" - "kms:Update*" - "kms:Revoke*" - "kms:Disable*" - "kms:Get*" - "kms:Delete*" - "kms:ScheduleKeyDeletion" - "kms:CancelKeyDeletion" Resource: "*" - Sid: "Allow use of the key" Effect: "Allow" Principal: AWS: "arn:aws:iam::999999999999:user/roger" Action: - "kms:DescribeKey" - "kms:Encrypt" - "kms:Decrypt" - "kms:ReEncrypt*" - "kms:GenerateDataKey" - "kms:GenerateDataKeyWithoutPlaintext" Resource: "*" EFSSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "security group for the prod EFS" GroupName: "test-EFS-SG" VpcId: !Ref VPC SecurityGroupIngress: - SourceSecurityGroupId: sg-ID Description: "servers to connect to efs" FromPort: 2049 IpProtocol: "tcp" ToPort: 2049 Tags: - Key: Environment Value: prod - Key: Name Value: test-VPC-EFS-SG - Key: Project Value: ITEngineering EFSFileSystem01: Type: AWS::EFS::FileSystem Properties: BackupPolicy: Status: ENABLED Encrypted: false LifecyclePolicies: - TransitionToIA: AFTER_60_DAYS PerformanceMode: generalPurpose ThroughputMode: bursting FileSystemTags: - Key: Environment Value: prod - Key: Name Value: test-VPC-EFS - Key: Project Value: ITEngineering MountTarget1: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID1 MountTarget2: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID2 MountTarget3: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID3 MountTarget4: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID4 Outputs: EFS: Description: The created EFS Value: !Ref EFSFileSystem01 EFSMountTarget1: Description: The EFS MountTarget1 Value: !Ref MountTarget1 EFSMountTarget2: Description: The EFS MountTarget2 Value: !Ref MountTarget2 EFSMountTarget3: Description: The EFS MountTarget3 Value: !Ref MountTarget3 EFSMountTarget4: Description: The EFS MountTarget4 Value: !Ref MountTarget4 ```