This product is not supported for your selected
Datadog site. (
).
Id: 2ff8e83c-90e1-4d68-a300-6d652112e622
Cloud Provider: AWS
Platform: CloudFormation
Severity: High
Category: Encryption
Learn More
Description
Amazon EFS file systems must have encryption enabled to protect data at rest. Without encryption, file data, backups, and snapshots can be exposed if storage media or underlying infrastructure is compromised.
For AWS::EFS::FileSystem resources, the Properties.Encrypted property must be set to true. This rule flags resources with Encrypted set to false. To ensure encryption is always applied, explicitly set Encrypted to true and optionally specify KmsKeyId to use a customer-managed AWS KMS key.
Secure configuration example:
MyEFS:
Type: AWS::EFS::FileSystem
Properties:
Encrypted: true
KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd-ef01-2345-6789
Compliant Code Examples
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Parameters:
VPC:
Type: String
Description: The VPC identity
Default: vpc-ID
SubnetID1:
Type: String
Description: The subnet where to launch the service
Default: subnet-ID
SubnetID2:
Type: String
Description: the subnet where to Launch the service
Default: subnet-ID
SubnetID3:
Type: String
Description: The subnet where to launch the service
Default: subnet-ID
SubnetID4:
Type: String
Description: the subnet where to Launch the service
Default: subnet-ID
Resources:
EFSSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "security group for the prod EFS"
GroupName: "test-EFS-SG"
VpcId: !Ref VPC
SecurityGroupIngress:
- SourceSecurityGroupId: sg-ID
Description: "servers to connect to efs"
FromPort: 2049
IpProtocol: "tcp"
ToPort: 2049
Tags:
- Key: Environment
Value: prod
- Key: Name
Value: test-VPC-EFS-SG
- Key: Project
Value: ITEngineering
EFSFileSystem:
Type: AWS::EFS::FileSystem
Properties:
BackupPolicy:
Status: ENABLED
Encrypted: true
LifecyclePolicies:
- TransitionToIA: AFTER_60_DAYS
PerformanceMode: generalPurpose
ThroughputMode: bursting
FileSystemTags:
- Key: Environment
Value: prod
- Key: Name
Value: test-VPC-EFS
- Key: Project
Value: ITEngineering
MountTarget1:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID1
MountTarget2:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID2
MountTarget3:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID3
MountTarget4:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID4
Outputs:
EFS:
Description: The created EFS
Value: !Ref EFSFileSystem
EFSMountTarget1:
Description: The EFS MountTarget1
Value: !Ref MountTarget1
EFSMountTarget2:
Description: The EFS MountTarget2
Value: !Ref MountTarget2
EFSMountTarget3:
Description: The EFS MountTarget3
Value: !Ref MountTarget3
EFSMountTarget4:
Description: The EFS MountTarget4
Value: !Ref MountTarget4
{
"Resources": {
"EFSFileSystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"BackupPolicy": {
"Status": "ENABLED"
},
"Encrypted": true,
"LifecyclePolicies": [
{
"TransitionToIA": "AFTER_60_DAYS"
}
],
"PerformanceMode": "generalPurpose",
"ThroughputMode": "bursting",
"FileSystemTags": [
{
"Value": "prod",
"Key": "Environment"
},
{
"Key": "Name",
"Value": "test-VPC-EFS"
},
{
"Key": "Project",
"Value": "ITEngineering"
}
]
}
},
"MountTarget1": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID1"
}
},
"MountTarget2": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID2",
"FileSystemId": "EFSFileSystem"
}
},
"MountTarget3": {
"Properties": {
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID3",
"FileSystemId": "EFSFileSystem"
},
"Type": "AWS::EFS::MountTarget"
},
"MountTarget4": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID4"
}
},
"EFSSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "security group for the prod EFS",
"GroupName": "test-EFS-SG",
"VpcId": "VPC",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"ToPort": 2049,
"SourceSecurityGroupId": "sg-ID",
"Description": "servers to connect to efs",
"FromPort": 2049
}
],
"Tags": [
{
"Key": "Environment",
"Value": "prod"
},
{
"Key": "Name",
"Value": "test-VPC-EFS-SG"
},
{
"Key": "Project",
"Value": "ITEngineering"
}
]
}
}
},
"Outputs": {
"EFSMountTarget2": {
"Value": "MountTarget2",
"Description": "The EFS MountTarget2"
},
"EFSMountTarget3": {
"Description": "The EFS MountTarget3",
"Value": "MountTarget3"
},
"EFSMountTarget4": {
"Description": "The EFS MountTarget4",
"Value": "MountTarget4"
},
"EFS": {
"Description": "The created EFS",
"Value": "EFSFileSystem"
},
"EFSMountTarget1": {
"Description": "The EFS MountTarget1",
"Value": "MountTarget1"
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create EFS system and Mount Targets for test VPC",
"Parameters": {
"VPC": {
"Type": "String",
"Description": "The VPC identity",
"Default": "vpc-ID"
},
"SubnetID1": {
"Default": "subnet-ID",
"Type": "String",
"Description": "The subnet where to launch the service"
},
"SubnetID2": {
"Type": "String",
"Description": "the subnet where to Launch the service",
"Default": "subnet-ID"
},
"SubnetID3": {
"Type": "String",
"Description": "The subnet where to launch the service",
"Default": "subnet-ID"
},
"SubnetID4": {
"Type": "String",
"Description": "the subnet where to Launch the service",
"Default": "subnet-ID"
}
}
}
Non-Compliant Code Examples
{
"Description": "Create EFS system and Mount Targets for test VPC",
"Parameters": {
"VPC": {
"Type": "String",
"Description": "The VPC identity",
"Default": "vpc-ID"
},
"SubnetID1": {
"Description": "The subnet where to launch the service",
"Default": "subnet-ID",
"Type": "String"
},
"SubnetID2": {
"Type": "String",
"Description": "the subnet where to Launch the service",
"Default": "subnet-ID"
},
"SubnetID3": {
"Default": "subnet-ID",
"Type": "String",
"Description": "The subnet where to launch the service"
},
"SubnetID4": {
"Description": "the subnet where to Launch the service",
"Default": "subnet-ID",
"Type": "String"
}
},
"Resources": {
"MountTarget3": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID3"
}
},
"MountTarget4": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID4"
}
},
"EFSSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "security group for the prod EFS",
"GroupName": "test-EFS-SG",
"VpcId": "VPC",
"SecurityGroupIngress": [
{
"ToPort": 2049,
"SourceSecurityGroupId": "sg-ID",
"Description": "servers to connect to efs",
"FromPort": 2049,
"IpProtocol": "tcp"
}
],
"Tags": [
{
"Key": "Environment",
"Value": "prod"
},
{
"Key": "Name",
"Value": "test-VPC-EFS-SG"
},
{
"Key": "Project",
"Value": "ITEngineering"
}
]
}
},
"EFSFileSystem01": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"BackupPolicy": {
"Status": "ENABLED"
},
"Encrypted": false,
"LifecyclePolicies": [
{
"TransitionToIA": "AFTER_60_DAYS"
}
],
"PerformanceMode": "generalPurpose",
"ThroughputMode": "bursting",
"FileSystemTags": [
{
"Value": "prod",
"Key": "Environment"
},
{
"Key": "Name",
"Value": "test-VPC-EFS"
},
{
"Key": "Project",
"Value": "ITEngineering"
}
]
}
},
"MountTarget1": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
],
"SubnetId": "SubnetID1"
}
},
"MountTarget2": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"SubnetId": "SubnetID2",
"FileSystemId": "EFSFileSystem01",
"IpAddress": "*.*.*.*",
"SecurityGroups": [
"EFSSecurityGroup"
]
}
}
},
"Outputs": {
"EFS": {
"Description": "The created EFS",
"Value": "EFSFileSystem01"
},
"EFSMountTarget1": {
"Description": "The EFS MountTarget1",
"Value": "MountTarget1"
},
"EFSMountTarget2": {
"Description": "The EFS MountTarget2",
"Value": "MountTarget2"
},
"EFSMountTarget3": {
"Description": "The EFS MountTarget3",
"Value": "MountTarget3"
},
"EFSMountTarget4": {
"Value": "MountTarget4",
"Description": "The EFS MountTarget4"
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create EFS system and Mount Targets for test VPC"
Parameters:
VPC:
Type: String
Description: The VPC identity
Default: vpc-ID
SubnetID1:
Type: String
Description: The subnet where to launch the service
Default: subnet-ID
SubnetID2:
Type: String
Description: the subnet where to Launch the service
Default: subnet-ID
SubnetID3:
Type: String
Description: The subnet where to launch the service
Default: subnet-ID
SubnetID4:
Type: String
Description: the subnet where to Launch the service
Default: subnet-ID
Resources:
EFSSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "security group for the prod EFS"
GroupName: "test-EFS-SG"
VpcId: !Ref VPC
SecurityGroupIngress:
- SourceSecurityGroupId: sg-ID
Description: "servers to connect to efs"
FromPort: 2049
IpProtocol: "tcp"
ToPort: 2049
Tags:
- Key: Environment
Value: prod
- Key: Name
Value: test-VPC-EFS-SG
- Key: Project
Value: ITEngineering
EFSFileSystem01:
Type: AWS::EFS::FileSystem
Properties:
BackupPolicy:
Status: ENABLED
Encrypted: false
LifecyclePolicies:
- TransitionToIA: AFTER_60_DAYS
PerformanceMode: generalPurpose
ThroughputMode: bursting
FileSystemTags:
- Key: Environment
Value: prod
- Key: Name
Value: test-VPC-EFS
- Key: Project
Value: ITEngineering
MountTarget1:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID1
MountTarget2:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID2
MountTarget3:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID3
MountTarget4:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId: !Ref EFSFileSystem01
IpAddress: "*.*.*.*"
SecurityGroups:
- !Ref EFSSecurityGroup
SubnetId: !Ref SubnetID4
Outputs:
EFS:
Description: The created EFS
Value: !Ref EFSFileSystem01
EFSMountTarget1:
Description: The EFS MountTarget1
Value: !Ref MountTarget1
EFSMountTarget2:
Description: The EFS MountTarget2
Value: !Ref MountTarget2
EFSMountTarget3:
Description: The EFS MountTarget3
Value: !Ref MountTarget3
EFSMountTarget4:
Description: The EFS MountTarget4
Value: !Ref MountTarget4
