For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-efs-without-tags.md. A documentation index is available at /llms.txt.

EFS without tags

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-efs-without-tags

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Build Process

Learn More

Description

Amazon EFS file systems should be tagged to enable asset identification and to support automated policy and access controls. Missing tags make it harder to track ownership and enforce tag-based security or lifecycle rules.

The CloudFormation resource AWS::EFS::FileSystem must include the FileSystemTags property, and it must be defined (not null). Resources missing FileSystemTags or with it set to null will be flagged for remediation.

Secure configuration example:

MyEFS:
  Type: AWS::EFS::FileSystem
  Properties:
    FileSystemTags:
      - Key: Name
        Value: my-efs
      - Key: Environment
        Value: production

Compliant Code Examples


AWSTemplateFormatVersion: '2010-09-09'
Description: Create Elastic File System
Parameters:
  Owner:
    Type: String
    Default: FirstName LastName
  Project:
    Type: String
    Default: EFS Mount
  VPC:
    Type: AWS::EC2::VPC::Id
  Subnet1:
    Type: AWS::EC2::Subnet::Id
Resources:
  FileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      FileSystemTags:
      - Key: Name
        Value: !Ref AWS::StackName
      - Key: Owner
        Value: !Ref Owner
      - Key: Project
        Value: !Ref Project
  MountTarget1:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref FileSystem
      SubnetId: !Ref Subnet1
      SecurityGroups:
      - !Ref EfsSecurityGroup
  EfsSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Instance to EFS Mount Access
      VpcId: !Ref VPC
      Tags:
      - Key: Name
        Value: !Ref AWS::StackName
      - Key: Owner
        Value: !Ref Owner
      - Key: Project
        Value: !Ref Project

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create Elastic File System",
  "Parameters": {
    "VPC": {
      "Type": "AWS::EC2::VPC::Id"
    },
    "Subnet1": {
      "Type": "AWS::EC2::Subnet::Id"
    },
    "Owner": {
      "Type": "String",
      "Default": "FirstName LastName"
    },
    "Project": {
      "Type": "String",
      "Default": "EFS Mount"
    }
  },
  "Resources": {
    "EfsSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "Tags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          },
          {
            "Key": "Owner",
            "Value": "Owner"
          },
          {
            "Key": "Project",
            "Value": "Project"
          }
        ],
        "GroupDescription": "Instance to EFS Mount Access",
        "VpcId": "VPC"
      }
    },
    "FileSystem": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "FileSystemTags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          },
          {
            "Key": "Owner",
            "Value": "Owner"
          },
          {
            "Key": "Project",
            "Value": "Project"
          }
        ]
      }
    },
    "MountTarget1": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "FileSystem",
        "SubnetId": "Subnet1",
        "SecurityGroups": [
          "EfsSecurityGroup"
        ]
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Description: Create Elastic File System
Parameters:
  Owner:
    Type: String
    Default: FirstName LastName
  Project:
    Type: String
    Default: EFS Mount
  VPC:
    Type: AWS::EC2::VPC::Id
  Subnet1:
    Type: AWS::EC2::Subnet::Id
Resources:
  FileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      Encrypted: true
      PerformanceMode: generalPurpose
  MountTarget1:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref FileSystem
      SubnetId: !Ref Subnet1
      SecurityGroups:
      - !Ref EfsSecurityGroup
  EfsSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Instance to EFS Mount Access
      VpcId: !Ref VPC
      Tags:
      - Key: Name
        Value: !Ref AWS::StackName
      - Key: Owner
        Value: !Ref Owner
      - Key: Project
        Value: !Ref Project

{
  "Parameters": {
    "Project": {
      "Default": "EFS Mount",
      "Type": "String"
    },
    "VPC": {
      "Type": "AWS::EC2::VPC::Id"
    },
    "Subnet1": {
      "Type": "AWS::EC2::Subnet::Id"
    },
    "Owner": {
      "Type": "String",
      "Default": "FirstName LastName"
    }
  },
  "Resources": {
    "EfsSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Instance to EFS Mount Access",
        "VpcId": "VPC",
        "Tags": [
          {
            "Key": "Name",
            "Value": "AWS::StackName"
          },
          {
            "Key": "Owner",
            "Value": "Owner"
          },
          {
            "Key": "Project",
            "Value": "Project"
          }
        ]
      }
    },
    "FileSystem": {
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "Encrypted": true,
        "PerformanceMode": "generalPurpose"
      }
    },
    "MountTarget1": {
      "Type": "AWS::EFS::MountTarget",
      "Properties": {
        "FileSystemId": "FileSystem",
        "SubnetId": "Subnet1",
        "SecurityGroups": [
          "EfsSecurityGroup"
        ]
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create Elastic File System"
}