For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-efs-without-kms.md.
A documentation index is available at /llms.txt.
Amazon EFS file systems must be encrypted at rest using an AWS KMS customer-managed key (CMK) to protect stored data from unauthorized access and to enable customer-controlled key rotation, access policies, and audit logging.
In CloudFormation, ensure resources of type AWS::EFS::FileSystem have Encrypted set to true and specify KmsKeyId referencing a customer-managed AWS KMS key (ARN, alias, or Ref to an AWS::KMS::Key). Resources with Encrypted missing or set to false, or without a valid KmsKeyId that points to a customer-managed CMK, will be flagged.
Secure configuration example:
MyEfs:Type:AWS::EFS::FileSystemProperties:Encrypted:trueKmsKeyId:!Ref MyKmsKeyMyKmsKey:Type:AWS::KMS::KeyProperties:Description:"Customer-managed CMK for EFS encryption"
Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Description:"Create EFS system and Mount Targets for test VPC"Parameters:VPC:Type:StringDescription:The VPC identityDefault:vpc-IDSubnetID1:Type:StringDescription:The subnet where to launch the serviceDefault:subnet-IDSubnetID2:Type:StringDescription:the subnet where to Launch the serviceDefault:subnet-IDSubnetID3:Type:StringDescription:The subnet where to launch the serviceDefault:subnet-IDSubnetID4:Type:StringDescription:the subnet where to Launch the serviceDefault:subnet-IDResources:EFSKMSKey:Type:AWS::KMS::KeyProperties:Description:"An example CMK with KMS"KeyPolicy:Version:"2012-10-17"Id:"efs-default-key1"Statement:- Sid:"Allow administration of the key"Effect:"Allow"Principal:AWS:"arn:aws:iam::999999999999:user/roger"Action:- "kms:Create*"- "kms:Describe*"- "kms:Enable*"- "kms:List*"- "kms:Put*"- "kms:Update*"- "kms:Revoke*"- "kms:Disable*"- "kms:Get*"- "kms:Delete*"- "kms:ScheduleKeyDeletion"- "kms:CancelKeyDeletion"Resource:"*"- Sid:"Allow use of the key"Effect:"Allow"Principal:AWS:"arn:aws:iam::999999999999:user/roger"Action:- "kms:DescribeKey"- "kms:Encrypt"- "kms:Decrypt"- "kms:ReEncrypt*"- "kms:GenerateDataKey"- "kms:GenerateDataKeyWithoutPlaintext"Resource:"*"EFSSecurityGroup:Type:"AWS::EC2::SecurityGroup"Properties:GroupDescription:"security group for the prod EFS"GroupName:"test-EFS-SG"VpcId:!Ref VPCSecurityGroupIngress:- SourceSecurityGroupId:sg-IDDescription:"servers to connect to efs"FromPort:2049IpProtocol:"tcp"ToPort:2049Tags:- Key:EnvironmentValue:prod- Key:NameValue:test-VPC-EFS-SG- Key:ProjectValue:ITEngineeringEFSFileSystem01:Type:AWS::EFS::FileSystemProperties:BackupPolicy:Status:ENABLEDEncrypted:falseKmsKeyId:!Ref EFSKMSKeyLifecyclePolicies:- TransitionToIA:AFTER_60_DAYSPerformanceMode:generalPurposeThroughputMode:burstingFileSystemTags:- Key:EnvironmentValue:prod- Key:NameValue:test-VPC-EFS- Key:ProjectValue:ITEngineeringMountTarget1:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID1MountTarget2:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID2MountTarget3:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID3MountTarget4:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID4Outputs:EFS:Description:The created EFSValue:!Ref EFSFileSystem01EFSMountTarget1:Description:The EFS MountTarget1Value:!Ref MountTarget1EFSMountTarget2:Description:The EFS MountTarget2Value:!Ref MountTarget2EFSMountTarget3:Description:The EFS MountTarget3Value:!Ref MountTarget3EFSMountTarget4:Description:The EFS MountTarget4Value:!Ref MountTarget4
{"AWSTemplateFormatVersion":"2010-09-09","Description":"Create EFS system and Mount Targets for test VPC","Parameters":{"VPC":{"Type":"String","Description":"The VPC identity","Default":"vpc-ID"},"SubnetID1":{"Description":"The subnet where to launch the service","Default":"subnet-ID","Type":"String"},"SubnetID2":{"Type":"String","Description":"the subnet where to Launch the service","Default":"subnet-ID"},"SubnetID3":{"Type":"String","Description":"The subnet where to launch the service","Default":"subnet-ID"},"SubnetID4":{"Type":"String","Description":"the subnet where to Launch the service","Default":"subnet-ID"}},"Resources":{"EFSKMSKey":{"Type":"AWS::KMS::Key","Properties":{"Description":"An example CMK with KMS","KeyPolicy":{"Version":"2012-10-17","Id":"efs-default-key1","Statement":[{"Sid":"Allow administration of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::999999999999:user/roger"},"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource":"*"},{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::999999999999:user/roger"},"Action":["kms:DescribeKey","kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey","kms:GenerateDataKeyWithoutPlaintext"],"Resource":"*","Sid":"Allow use of the key"}]}}},"EFSSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"Tags":[{"Key":"Environment","Value":"prod"},{"Key":"Name","Value":"test-VPC-EFS-SG"},{"Value":"ITEngineering","Key":"Project"}],"GroupDescription":"security group for the prod EFS","GroupName":"test-EFS-SG","VpcId":"VPC","SecurityGroupIngress":[{"SourceSecurityGroupId":"sg-ID","Description":"servers to connect to efs","FromPort":2049,"IpProtocol":"tcp","ToPort":2049}]}},"EFSFileSystem01":{"Type":"AWS::EFS::FileSystem","Properties":{"BackupPolicy":{"Status":"ENABLED"},"Encrypted":false,"KmsKeyId":"EFSKMSKey","LifecyclePolicies":[{"TransitionToIA":"AFTER_60_DAYS"}],"PerformanceMode":"generalPurpose","ThroughputMode":"bursting","FileSystemTags":[{"Key":"Environment","Value":"prod"},{"Key":"Name","Value":"test-VPC-EFS"},{"Key":"Project","Value":"ITEngineering"}]}},"MountTarget1":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID1"}},"MountTarget2":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID2"}},"MountTarget3":{"Type":"AWS::EFS::MountTarget","Properties":{"SubnetId":"SubnetID3","FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"]}},"MountTarget4":{"Type":"AWS::EFS::MountTarget","Properties":{"SubnetId":"SubnetID4","FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"]}}},"Outputs":{"EFSMountTarget2":{"Description":"The EFS MountTarget2","Value":"MountTarget2"},"EFSMountTarget3":{"Description":"The EFS MountTarget3","Value":"MountTarget3"},"EFSMountTarget4":{"Description":"The EFS MountTarget4","Value":"MountTarget4"},"EFS":{"Description":"The created EFS","Value":"EFSFileSystem01"},"EFSMountTarget1":{"Description":"The EFS MountTarget1","Value":"MountTarget1"}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Description:"Create EFS system and Mount Targets for test VPC"Parameters:VPC:Type:StringDescription:The VPC identityDefault:vpc-IDSubnetID1:Type:StringDescription:The subnet where to launch the serviceDefault:subnet-IDSubnetID2:Type:StringDescription:the subnet where to Launch the serviceDefault:subnet-IDSubnetID3:Type:StringDescription:The subnet where to launch the serviceDefault:subnet-IDSubnetID4:Type:StringDescription:the subnet where to Launch the serviceDefault:subnet-IDResources:EFSKMSKey:Type:AWS::KMS::KeyProperties:Description:"An example CMK with KMS"KeyPolicy:Version:"2012-10-17"Id:"efs-default-key1"Statement:- Sid:"Allow administration of the key"Effect:"Allow"Principal:AWS:"arn:aws:iam::999999999999:user/roger"Action:- "kms:Create*"- "kms:Describe*"- "kms:Enable*"- "kms:List*"- "kms:Put*"- "kms:Update*"- "kms:Revoke*"- "kms:Disable*"- "kms:Get*"- "kms:Delete*"- "kms:ScheduleKeyDeletion"- "kms:CancelKeyDeletion"Resource:"*"- Sid:"Allow use of the key"Effect:"Allow"Principal:AWS:"arn:aws:iam::999999999999:user/roger"Action:- "kms:DescribeKey"- "kms:Encrypt"- "kms:Decrypt"- "kms:ReEncrypt*"- "kms:GenerateDataKey"- "kms:GenerateDataKeyWithoutPlaintext"Resource:"*"EFSSecurityGroup:Type:"AWS::EC2::SecurityGroup"Properties:GroupDescription:"security group for the prod EFS"GroupName:"test-EFS-SG"VpcId:!Ref VPCSecurityGroupIngress:- SourceSecurityGroupId:sg-IDDescription:"servers to connect to efs"FromPort:2049IpProtocol:"tcp"ToPort:2049Tags:- Key:EnvironmentValue:prod- Key:NameValue:test-VPC-EFS-SG- Key:ProjectValue:ITEngineeringEFSFileSystem01:Type:AWS::EFS::FileSystemProperties:BackupPolicy:Status:ENABLEDEncrypted:falseLifecyclePolicies:- TransitionToIA:AFTER_60_DAYSPerformanceMode:generalPurposeThroughputMode:burstingFileSystemTags:- Key:EnvironmentValue:prod- Key:NameValue:test-VPC-EFS- Key:ProjectValue:ITEngineeringMountTarget1:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID1MountTarget2:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID2MountTarget3:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID3MountTarget4:Type:AWS::EFS::MountTargetProperties:FileSystemId:!Ref EFSFileSystem01IpAddress:"*.*.*.*"SecurityGroups:- !Ref EFSSecurityGroupSubnetId:!Ref SubnetID4Outputs:EFS:Description:The created EFSValue:!Ref EFSFileSystem01EFSMountTarget1:Description:The EFS MountTarget1Value:!Ref MountTarget1EFSMountTarget2:Description:The EFS MountTarget2Value:!Ref MountTarget2EFSMountTarget3:Description:The EFS MountTarget3Value:!Ref MountTarget3EFSMountTarget4:Description:The EFS MountTarget4Value:!Ref MountTarget4
{"AWSTemplateFormatVersion":"2010-09-09","Description":"Create EFS system and Mount Targets for test VPC","Parameters":{"VPC":{"Type":"String","Description":"The VPC identity","Default":"vpc-ID"},"SubnetID1":{"Type":"String","Description":"The subnet where to launch the service","Default":"subnet-ID"},"SubnetID2":{"Default":"subnet-ID","Type":"String","Description":"the subnet where to Launch the service"},"SubnetID3":{"Description":"The subnet where to launch the service","Default":"subnet-ID","Type":"String"},"SubnetID4":{"Type":"String","Description":"the subnet where to Launch the service","Default":"subnet-ID"}},"Resources":{"MountTarget1":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID1"}},"MountTarget2":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID2"}},"MountTarget3":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID3"}},"MountTarget4":{"Type":"AWS::EFS::MountTarget","Properties":{"FileSystemId":"EFSFileSystem01","IpAddress":"*.*.*.*","SecurityGroups":["EFSSecurityGroup"],"SubnetId":"SubnetID4"}},"EFSKMSKey":{"Type":"AWS::KMS::Key","Properties":{"Description":"An example CMK with KMS","KeyPolicy":{"Version":"2012-10-17","Id":"efs-default-key1","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::999999999999:user/roger"},"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"],"Resource":"*","Sid":"Allow administration of the key"},{"Action":["kms:DescribeKey","kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey","kms:GenerateDataKeyWithoutPlaintext"],"Resource":"*","Sid":"Allow use of the key","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::999999999999:user/roger"}}]}}},"EFSSecurityGroup":{"Properties":{"SecurityGroupIngress":[{"SourceSecurityGroupId":"sg-ID","Description":"servers to connect to efs","FromPort":2049,"IpProtocol":"tcp","ToPort":2049}],"Tags":[{"Key":"Environment","Value":"prod"},{"Value":"test-VPC-EFS-SG","Key":"Name"},{"Key":"Project","Value":"ITEngineering"}],"GroupDescription":"security group for the prod EFS","GroupName":"test-EFS-SG","VpcId":"VPC"},"Type":"AWS::EC2::SecurityGroup"},"EFSFileSystem01":{"Type":"AWS::EFS::FileSystem","Properties":{"LifecyclePolicies":[{"TransitionToIA":"AFTER_60_DAYS"}],"PerformanceMode":"generalPurpose","ThroughputMode":"bursting","FileSystemTags":[{"Key":"Environment","Value":"prod"},{"Key":"Name","Value":"test-VPC-EFS"},{"Key":"Project","Value":"ITEngineering"}],"BackupPolicy":{"Status":"ENABLED"},"Encrypted":false}}},"Outputs":{"EFSMountTarget2":{"Description":"The EFS MountTarget2","Value":"MountTarget2"},"EFSMountTarget3":{"Description":"The EFS MountTarget3","Value":"MountTarget3"},"EFSMountTarget4":{"Value":"MountTarget4","Description":"The EFS MountTarget4"},"EFS":{"Description":"The created EFS","Value":"EFSFileSystem01"},"EFSMountTarget1":{"Description":"The EFS MountTarget1","Value":"MountTarget1"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
