Top / Amazon Web Service / AWS Amazon EFS / File System

AWS Amazon EFS File System

This page shows how to write Terraform and CloudFormation for Amazon EFS File System and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_efs_file_system (Terraform)

The File System in Amazon EFS can be configured in Terraform with the resource name aws_efs_file_system. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

efs.tf#L1
resource "aws_efs_file_system" "efsNotEncrypted" {
  creation_token = "my-product"

  tags = {
    Name = "not-encrypted"
  }
test.tf#L1
resource "aws_efs_file_system" "fs" { # Noncompliant {{Make sure that using unencrypted EFS file systems is safe here.}}
#        ^^^^^^^^^^^^^^^^^^^^^
}

resource "aws_efs_file_system" "fs" {
#        ^^^^^^^^^^^^^^^^^^^^^> {{Related file system}}
efs_file_system_test.tf#L12
resource "aws_efs_file_system" "standard" {
  lifecycle_policy {
    transition_to_ia = "AFTER_7_DAYS"
  }
}

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_efs_file_system

There is 1 setting in aws_efs_file_system that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Enable at rest encryption of EFS

It is better to enable at rest encryption of EFS to reduce the risk of data leakage.

Review your AWS Amazon EFS settings

You can check if the aws_efs_file_system setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides an Elastic File System (EFS) File System resource.

>> from Terraform Registry

AWS::EFS::FileSystem (CloudFormation)

The FileSystem in EFS can be configured in CloudFormation with the resource name AWS::EFS::FileSystem. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

serverless.yml#L79
      # Type: AWS::EFS::FileSystem
      Properties:
        FileSystemConfigs:
          - Arn: 'arn:aws:elasticfilesystem:${self:provider.region}:654288102859:access-point/${self:custom.efsAccessPoint}'
            LocalMountPath: '${self:custom.LocalMountPath}'
    TestLambdaFunction:
efs.yml#L5
    Type: AWS::EFS::FileSystem
    Properties:
      LifecyclePolicies:
        - TransitionToIA: AFTER_90_DAYS
      PerformanceMode:
        - generalPurpose
EFSEncrpytion-FAILED.yml#L4
    Type: 'AWS::EFS::FileSystem'
    Properties:
      PerformanceMode: maxIO
      Encrypted: false
      LifecyclePolicies:
        - TransitionToIA: AFTER_30_DAYS
EFSEncrpytion-PASSED.yml#L4
    Type: 'AWS::EFS::FileSystem'
    Properties:
      PerformanceMode: maxIO
      Encrypted: true
      LifecyclePolicies:
        - TransitionToIA: AFTER_30_DAYS
storage.yml#L10
    Type: AWS::EFS::FileSystem
    Properties:
      Encrypted: true
      BackupPolicy:
        Status: ENABLED
      FileSystemTags:
test.json#L5
      "Type": "AWS::EFS::FileSystem",
      "Properties": {
        "Encrypted": true
      }
    },
    "SensitiveEFSFileSystem": {
CloudFormation_test_EFSOnly.json#L4
      "Type" : "AWS::EFS::FileSystem",
      "Properties" : {
        "FileSystemTags" : [
          {
            "Key" : "Name",
            "Value" : "TestFileSystem"
template.json#L4
      "Type": "AWS::EFS::FileSystem",
      "Properties": {}
    }
  }
}
_index.json#L3
        "Type": "AWS::EFS::FileSystem",
        "Properties": {
            "Encrypted": true,
            "PerformanceMode": "generalPurpose",
            "FileSystemTags": [
                {
EFS.json#L3
  "resourceType" : "AWS::EFS::FileSystem",
  "properties" : [ {
    "propertyName" : "FileSystemTags",
    "propertyType" : "List<AWS::EFS::FileSystem::FileSystemTag>",
    "required" : false,
    "propertyHref" : "aws-properties-efs-filesystem-filesystemtags.html"

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::EFS::FileSystem resource creates a new, empty file system in Amazon Elastic File System (Amazon EFS). You must create a mount target (AWS::EFS::MountTarget) to mount your EFS file system on an Amazon EC2 or other AWS cloud compute resource.

>> from AWS CloudFormation Documentation

The Other Related AWS Amazon EFS Resources

Frequently asked questions

What is AWS Amazon EFS File System?

AWS Amazon EFS File System is a resource for Amazon EFS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon EFS File System?

For Terraform, the storebot/pr_demo_flat, SonarSource/sonar-iac and gilyas/infracost source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the DesiPilla/frus-event-exctraction, oscar93varlop/wp-efs-rds and bridgecrewio/checkov source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents