--- title: EFS not encrypted description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > EFS not encrypted --- # EFS not encrypted {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `48207659-729f-4b5c-9402-f884257d794f` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** High **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#encrypted) ### Description{% #description %} AWS Elastic File System (EFS) stores data in clear text by default, potentially exposing sensitive information if the storage system is compromised. When EFS is not encrypted, unauthorized users who gain access to the underlying storage could read file contents, leading to data breaches and compliance violations. To properly secure an EFS file system, set the `encrypted` attribute to `true` in your Terraform configuration, as shown below: ```hcl resource "aws_efs_file_system" "secure_example" { creation_token = "my-product" encrypted = true tags = { Name = "MyProduct" } } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_efs_file_system" "negative1" { creation_token = "my-product" encrypted = true tags = { Name = "MyProduct" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_efs_file_system" "positive1" { creation_token = "my-product" tags = { Name = "MyProduct" } } resource "aws_efs_file_system" "positive2" { creation_token = "my-product" encrypted = false tags = { Name = "MyProduct" } } ```