--- title: EFS not encrypted description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > EFS not encrypted --- # EFS not encrypted {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `2ff8e83c-90e1-4d68-a300-6d652112e622` **Cloud Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html) ### Description{% #description %} Amazon EFS file systems must have encryption enabled to protect data at rest. Without encryption, file data, backups, and snapshots can be exposed if storage media or underlying infrastructure is compromised. For `AWS::EFS::FileSystem` resources, the `Properties.Encrypted` property must be set to `true`. This rule flags resources with `Encrypted` set to `false`. To ensure encryption is always applied, explicitly set `Encrypted` to `true` and optionally specify `KmsKeyId` to use a customer-managed AWS KMS key. Secure configuration example: ```yaml MyEFS: Type: AWS::EFS::FileSystem Properties: Encrypted: true KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd-ef01-2345-6789 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: "2010-09-09" Description: "Create EFS system and Mount Targets for test VPC" Parameters: VPC: Type: String Description: The VPC identity Default: vpc-ID SubnetID1: Type: String Description: The subnet where to launch the service Default: subnet-ID SubnetID2: Type: String Description: the subnet where to Launch the service Default: subnet-ID SubnetID3: Type: String Description: The subnet where to launch the service Default: subnet-ID SubnetID4: Type: String Description: the subnet where to Launch the service Default: subnet-ID Resources: EFSSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "security group for the prod EFS" GroupName: "test-EFS-SG" VpcId: !Ref VPC SecurityGroupIngress: - SourceSecurityGroupId: sg-ID Description: "servers to connect to efs" FromPort: 2049 IpProtocol: "tcp" ToPort: 2049 Tags: - Key: Environment Value: prod - Key: Name Value: test-VPC-EFS-SG - Key: Project Value: ITEngineering EFSFileSystem: Type: AWS::EFS::FileSystem Properties: BackupPolicy: Status: ENABLED Encrypted: true LifecyclePolicies: - TransitionToIA: AFTER_60_DAYS PerformanceMode: generalPurpose ThroughputMode: bursting FileSystemTags: - Key: Environment Value: prod - Key: Name Value: test-VPC-EFS - Key: Project Value: ITEngineering MountTarget1: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID1 MountTarget2: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID2 MountTarget3: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID3 MountTarget4: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID4 Outputs: EFS: Description: The created EFS Value: !Ref EFSFileSystem EFSMountTarget1: Description: The EFS MountTarget1 Value: !Ref MountTarget1 EFSMountTarget2: Description: The EFS MountTarget2 Value: !Ref MountTarget2 EFSMountTarget3: Description: The EFS MountTarget3 Value: !Ref MountTarget3 EFSMountTarget4: Description: The EFS MountTarget4 Value: !Ref MountTarget4 ``` ```json { "Resources": { "EFSFileSystem": { "Type": "AWS::EFS::FileSystem", "Properties": { "BackupPolicy": { "Status": "ENABLED" }, "Encrypted": true, "LifecyclePolicies": [ { "TransitionToIA": "AFTER_60_DAYS" } ], "PerformanceMode": "generalPurpose", "ThroughputMode": "bursting", "FileSystemTags": [ { "Value": "prod", "Key": "Environment" }, { "Key": "Name", "Value": "test-VPC-EFS" }, { "Key": "Project", "Value": "ITEngineering" } ] } }, "MountTarget1": { "Type": "AWS::EFS::MountTarget", "Properties": { "FileSystemId": "EFSFileSystem", "IpAddress": "*.*.*.*", "SecurityGroups": [ "EFSSecurityGroup" ], "SubnetId": "SubnetID1" } }, "MountTarget2": { "Type": "AWS::EFS::MountTarget", "Properties": { "IpAddress": "*.*.*.*", "SecurityGroups": [ "EFSSecurityGroup" ], "SubnetId": "SubnetID2", "FileSystemId": "EFSFileSystem" } }, "MountTarget3": { "Properties": { "IpAddress": "*.*.*.*", "SecurityGroups": [ "EFSSecurityGroup" ], "SubnetId": "SubnetID3", "FileSystemId": "EFSFileSystem" }, "Type": "AWS::EFS::MountTarget" }, "MountTarget4": { "Type": "AWS::EFS::MountTarget", "Properties": { "FileSystemId": "EFSFileSystem", "IpAddress": "*.*.*.*", "SecurityGroups": [ "EFSSecurityGroup" ], "SubnetId": "SubnetID4" } }, "EFSSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "security group for the prod EFS", "GroupName": "test-EFS-SG", "VpcId": "VPC", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "ToPort": 2049, "SourceSecurityGroupId": "sg-ID", "Description": "servers to connect to efs", "FromPort": 2049 } ], "Tags": [ { "Key": "Environment", "Value": "prod" }, { "Key": "Name", "Value": "test-VPC-EFS-SG" }, { "Key": "Project", "Value": "ITEngineering" } ] } } }, "Outputs": { "EFSMountTarget2": { "Value": "MountTarget2", "Description": "The EFS MountTarget2" }, "EFSMountTarget3": { "Description": "The EFS MountTarget3", "Value": "MountTarget3" }, "EFSMountTarget4": { "Description": "The EFS MountTarget4", "Value": "MountTarget4" }, "EFS": { "Description": "The created EFS", "Value": "EFSFileSystem" }, "EFSMountTarget1": { "Description": "The EFS MountTarget1", "Value": "MountTarget1" } }, "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create EFS system and Mount Targets for test VPC", "Parameters": { "VPC": { "Type": "String", "Description": "The VPC identity", "Default": "vpc-ID" }, "SubnetID1": { "Default": "subnet-ID", "Type": "String", "Description": "The subnet where to launch the service" }, "SubnetID2": { "Type": "String", "Description": "the subnet where to Launch the service", "Default": "subnet-ID" }, "SubnetID3": { "Type": "String", "Description": "The subnet where to launch the service", "Default": "subnet-ID" }, "SubnetID4": { "Type": "String", "Description": "the subnet where to Launch the service", "Default": "subnet-ID" } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```json { "Description": "Create EFS system and Mount Targets for test VPC", "Parameters": { "VPC": { "Type": "String", "Description": "The VPC identity", "Default": "vpc-ID" }, "SubnetID1": { "Description": "The subnet where to launch the service", "Default": "subnet-ID", "Type": "String" }, "SubnetID2": { "Type": "String", "Description": "the subnet where to Launch the service", "Default": "subnet-ID" }, "SubnetID3": { "Default": "subnet-ID", "Type": "String", "Description": "The subnet where to launch the service" }, "SubnetID4": { "Description": "the subnet where to Launch the service", "Default": "subnet-ID", "Type": "String" } }, "Resources": { "MountTarget3": { "Type": "AWS::EFS::MountTarget", "Properties": { "FileSystemId": "EFSFileSystem01", "IpAddress": "*.*.*.*", "SecurityGroups": [ "EFSSecurityGroup" ], "SubnetId": "SubnetID3" } }, "MountTarget4": { "Type": "AWS::EFS::MountTarget", "Properties": { "FileSystemId": "EFSFileSystem01", "IpAddress": "*.*.*.*", "SecurityGroups": [ "EFSSecurityGroup" ], "SubnetId": "SubnetID4" } }, "EFSSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "security group for the prod EFS", "GroupName": "test-EFS-SG", "VpcId": "VPC", "SecurityGroupIngress": [ { "ToPort": 2049, "SourceSecurityGroupId": "sg-ID", "Description": "servers to connect to efs", "FromPort": 2049, "IpProtocol": "tcp" } ], "Tags": [ { "Key": "Environment", "Value": "prod" }, { "Key": "Name", "Value": "test-VPC-EFS-SG" }, { "Key": "Project", "Value": "ITEngineering" } ] } }, "EFSFileSystem01": { "Type": "AWS::EFS::FileSystem", "Properties": { "BackupPolicy": { "Status": "ENABLED" }, "Encrypted": false, "LifecyclePolicies": [ { "TransitionToIA": "AFTER_60_DAYS" } ], "PerformanceMode": "generalPurpose", "ThroughputMode": "bursting", "FileSystemTags": [ { "Value": "prod", "Key": "Environment" }, { "Key": "Name", "Value": "test-VPC-EFS" }, { "Key": "Project", "Value": "ITEngineering" } ] } }, "MountTarget1": { "Type": "AWS::EFS::MountTarget", "Properties": { "FileSystemId": "EFSFileSystem01", "IpAddress": "*.*.*.*", "SecurityGroups": [ "EFSSecurityGroup" ], "SubnetId": "SubnetID1" } }, "MountTarget2": { "Type": "AWS::EFS::MountTarget", "Properties": { "SubnetId": "SubnetID2", "FileSystemId": "EFSFileSystem01", "IpAddress": "*.*.*.*", "SecurityGroups": [ "EFSSecurityGroup" ] } } }, "Outputs": { "EFS": { "Description": "The created EFS", "Value": "EFSFileSystem01" }, "EFSMountTarget1": { "Description": "The EFS MountTarget1", "Value": "MountTarget1" }, "EFSMountTarget2": { "Description": "The EFS MountTarget2", "Value": "MountTarget2" }, "EFSMountTarget3": { "Description": "The EFS MountTarget3", "Value": "MountTarget3" }, "EFSMountTarget4": { "Value": "MountTarget4", "Description": "The EFS MountTarget4" } }, "AWSTemplateFormatVersion": "2010-09-09" } ``` ```yaml AWSTemplateFormatVersion: "2010-09-09" Description: "Create EFS system and Mount Targets for test VPC" Parameters: VPC: Type: String Description: The VPC identity Default: vpc-ID SubnetID1: Type: String Description: The subnet where to launch the service Default: subnet-ID SubnetID2: Type: String Description: the subnet where to Launch the service Default: subnet-ID SubnetID3: Type: String Description: The subnet where to launch the service Default: subnet-ID SubnetID4: Type: String Description: the subnet where to Launch the service Default: subnet-ID Resources: EFSSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "security group for the prod EFS" GroupName: "test-EFS-SG" VpcId: !Ref VPC SecurityGroupIngress: - SourceSecurityGroupId: sg-ID Description: "servers to connect to efs" FromPort: 2049 IpProtocol: "tcp" ToPort: 2049 Tags: - Key: Environment Value: prod - Key: Name Value: test-VPC-EFS-SG - Key: Project Value: ITEngineering EFSFileSystem01: Type: AWS::EFS::FileSystem Properties: BackupPolicy: Status: ENABLED Encrypted: false LifecyclePolicies: - TransitionToIA: AFTER_60_DAYS PerformanceMode: generalPurpose ThroughputMode: bursting FileSystemTags: - Key: Environment Value: prod - Key: Name Value: test-VPC-EFS - Key: Project Value: ITEngineering MountTarget1: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID1 MountTarget2: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID2 MountTarget3: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID3 MountTarget4: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem01 IpAddress: "*.*.*.*" SecurityGroups: - !Ref EFSSecurityGroup SubnetId: !Ref SubnetID4 Outputs: EFS: Description: The created EFS Value: !Ref EFSFileSystem01 EFSMountTarget1: Description: The EFS MountTarget1 Value: !Ref MountTarget1 EFSMountTarget2: Description: The EFS MountTarget2 Value: !Ref MountTarget2 EFSMountTarget3: Description: The EFS MountTarget3 Value: !Ref MountTarget3 EFSMountTarget4: Description: The EFS MountTarget4 Value: !Ref MountTarget4 ```