Skip to content

Terraform AWS EFS

Amazon EFS file systems with mount targets, access points, backup policies, lifecycle management, encryption at rest, and security group controlled NFS access.

2 controls enforced18 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "efs" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "cisv140.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "cis.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "nis2.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

module "efs" {
  source  = "soc2.compliance.tf/terraform-aws-modules/efs/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "efs" {
  source  = "terraform-aws-modules/efs/aws"
  version = "1.0"
}

module "efs" {
  source  = "soc2.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "efs" {
  source  = "terraform-aws-modules/efs/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

Data protection

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

11.30 Controls for open systems

2 Storage

2.3 Elastic File System (EFS)

3 Storage

3.3 Elastic File System (EFS)

Your Data-1

Your Data-2

Your Systems-3

7.1 Data Storage - Damage Protection

Protection of Information at Rest (SC-28)

D3.PC.Am.B.12

Article 32 Security of processing

164.308(a)(1)(ii)(B) Risk Management

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.312(a)(2)(iv) Encryption and decryption

164.312(e)(2)(ii) Encryption

A.8.11 Data masking

A.8.24 Use of cryptography

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

3.13.16: Protect the confidentiality of CUI at rest.

AU-9(3) Cryptographic Protection

CP-9(d)

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SC-13(a)

SC-28(1): Cryptographic Protection

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

ID.BE-5

PR.DS-01

PR.DS-1

500.15(a)

3.5.1: Primary account number (PAN) is secured wherever it is stored.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

Annex I (1.3)

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlAWS Well-Architected Framework v10Title 21 CFR Part 11CIS AWS Benchmark v5.0.0CIS AWS Benchmark v6.0.0CISA Cyber EssentialsEU GMP Annex 11FedRAMP Moderate Baseline Rev 4FFIEC Cybersecurity Assessment Tool
EFS file systems should have encryption at rest enabled
EFS file systems should be encrypted with CMK

Showing top 8 frameworks by coverage. All framework endpoints →