Skip to main content
HIGHEFSSecurity

EFS Encryption Disabled

efs-encryption-disabled

What this rule checks

Detects AWS::EFS::FileSystem resources without Encrypted=true. The CFN default is unencrypted (unlike the EFS console default), and encryption can only be enabled at filesystem creation.

How to fix it

  1. 1Set Encrypted to true on the AWS::EFS::FileSystem resource
  2. 2Provide KmsKeyId pointing at a customer-managed KMS key for additional control
  3. 3For existing unencrypted filesystems, migrate data to a new encrypted filesystem
FlaggedThe EFS file system is created with encrypted: false, leaving stored data unencrypted at rest.
import { aws_efs as efs, aws_ec2 as ec2 } from 'aws-cdk-lib';

const vpc = new ec2.Vpc(this, 'Vpc');
new efs.FileSystem(this, 'FileSystem', {
  vpc,
  encrypted: false,
});
FixedSetting encrypted: true with a customer-managed KMS key enables at-rest encryption on the EFS file system at creation time.
import { aws_efs as efs, aws_ec2 as ec2, aws_kms as kms } from 'aws-cdk-lib';

const vpc = new ec2.Vpc(this, 'Vpc');
new efs.FileSystem(this, 'FileSystem', {
  vpc,
  encrypted: true,
  kmsKey: new kms.Key(this, 'EfsKey'),
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::EFS::FileSystem

Compliance frameworks

SOC2HIPAAPCI-DSSNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate โ€” a genuinely public endpoint, say. You can dismiss efs-encryption-disabled and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "efs-encryption-disabled", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::efs-encryption-disabled',
  reason: 'Why this is intentional',
});

Use the rule ID efs-encryption-disabled shown above โ€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ€” free, no account, your code never leaves your machine.