AWS Amazon EFS File System
This page shows how to write Terraform and CloudFormation for Amazon EFS File System and write them securely.
aws_efs_file_system (Terraform)
The File System in Amazon EFS can be configured in Terraform with the resource name aws_efs_file_system
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_efs_file_system" "efsNotEncrypted" {
creation_token = "my-product"
tags = {
Name = "not-encrypted"
}
resource "aws_efs_file_system" "fs" { # Noncompliant {{Make sure that using unencrypted EFS file systems is safe here.}}
# ^^^^^^^^^^^^^^^^^^^^^
}
resource "aws_efs_file_system" "fs" {
# ^^^^^^^^^^^^^^^^^^^^^> {{Related file system}}
resource "aws_efs_file_system" "standard" {
lifecycle_policy {
transition_to_ia = "AFTER_7_DAYS"
}
}
Security Best Practices for aws_efs_file_system
There is 1 setting in aws_efs_file_system that should be taken care of for security reasons. The following section explain an overview and example code.
Enable at rest encryption of EFS
It is better to enable at rest encryption of EFS to reduce the risk of data leakage.
Parameters
-
arn
optional computed - string -
availability_zone_id
optional computed - string -
availability_zone_name
optional computed - string -
creation_token
optional computed - string -
dns_name
optional computed - string -
encrypted
optional computed - bool -
id
optional computed - string -
kms_key_id
optional computed - string -
number_of_mount_targets
optional computed - number -
owner_id
optional computed - string -
performance_mode
optional computed - string -
provisioned_throughput_in_mibps
optional - number -
size_in_bytes
optional computed - list of object-
value
- number -
value_in_ia
- number -
value_in_standard
- number
-
-
tags
optional - map from string to string -
throughput_mode
optional - string -
lifecycle_policy
list block-
transition_to_ia
required - string
-
Explanation in Terraform Registry
Provides an Elastic File System (EFS) File System resource.
AWS::EFS::FileSystem (CloudFormation)
The FileSystem in EFS can be configured in CloudFormation with the resource name AWS::EFS::FileSystem
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
# Type: AWS::EFS::FileSystem
Properties:
FileSystemConfigs:
- Arn: 'arn:aws:elasticfilesystem:${self:provider.region}:654288102859:access-point/${self:custom.efsAccessPoint}'
LocalMountPath: '${self:custom.LocalMountPath}'
TestLambdaFunction:
Type: AWS::EFS::FileSystem
Properties:
LifecyclePolicies:
- TransitionToIA: AFTER_90_DAYS
PerformanceMode:
- generalPurpose
Type: 'AWS::EFS::FileSystem'
Properties:
PerformanceMode: maxIO
Encrypted: false
LifecyclePolicies:
- TransitionToIA: AFTER_30_DAYS
Type: 'AWS::EFS::FileSystem'
Properties:
PerformanceMode: maxIO
Encrypted: true
LifecyclePolicies:
- TransitionToIA: AFTER_30_DAYS
Type: AWS::EFS::FileSystem
Properties:
Encrypted: true
BackupPolicy:
Status: ENABLED
FileSystemTags:
"Type": "AWS::EFS::FileSystem",
"Properties": {
"Encrypted": true
}
},
"SensitiveEFSFileSystem": {
"Type" : "AWS::EFS::FileSystem",
"Properties" : {
"FileSystemTags" : [
{
"Key" : "Name",
"Value" : "TestFileSystem"
"Type": "AWS::EFS::FileSystem",
"Properties": {}
}
}
}
"Type": "AWS::EFS::FileSystem",
"Properties": {
"Encrypted": true,
"PerformanceMode": "generalPurpose",
"FileSystemTags": [
{
"resourceType" : "AWS::EFS::FileSystem",
"properties" : [ {
"propertyName" : "FileSystemTags",
"propertyType" : "List<AWS::EFS::FileSystem::FileSystemTag>",
"required" : false,
"propertyHref" : "aws-properties-efs-filesystem-filesystemtags.html"
Parameters
-
Encrypted
optional - Boolean -
FileSystemTags
optional - List of ElasticFileSystemTag -
KmsKeyId
optional - String -
LifecyclePolicies
optional - List of LifecyclePolicy -
PerformanceMode
optional - String -
ProvisionedThroughputInMibps
optional - Double -
ThroughputMode
optional - String -
FileSystemPolicy
optional - Json -
BypassPolicyLockoutSafetyCheck
optional - Boolean -
BackupPolicy
optional - BackupPolicy -
AvailabilityZoneName
optional - String
Explanation in CloudFormation Registry
The
AWS::EFS::FileSystem
resource creates a new, empty file system in Amazon Elastic File System (Amazon EFS). You must create a mount target (AWS::EFS::MountTarget) to mount your EFS file system on an Amazon EC2 or other AWS cloud compute resource.
Frequently asked questions
What is AWS Amazon EFS File System?
AWS Amazon EFS File System is a resource for Amazon EFS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EFS File System?
For Terraform, the storebot/pr_demo_flat, SonarSource/sonar-iac and gilyas/infracost source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the DesiPilla/frus-event-exctraction, oscar93varlop/wp-efs-rds and bridgecrewio/checkov source code examples are useful. See the CloudFormation Example section for further details.