Terraform AWS EFS

Amazon EFS file systems with mount targets, access points, backup policies, lifecycle management, encryption at rest, and security group controlled NFS access.

Controls enforced

These compliance controls are checked at terraform plan time.

EFS file systems should have encryption at rest enabled(low effort)
EFS file systems should be encrypted with CMK(low effort)

Quick start

module "efs" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"

  # ... your arguments here
}

module "efs" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"

  # ... your arguments here
}

module "efs" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"

  # ... your arguments here
}

module "efs" {
  source  = "cis.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"

  # ... your arguments here
}

module "efs" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"

  # ... your arguments here
}

module "efs" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"

  # ... your arguments here
}

module "efs" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"

  # ... your arguments here
}

module "efs" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "efs" {
  source  = "terraform-aws-modules/efs/aws"
  version = "1.0"
}

module "efs" {
  source  = "soc2.compliance.tf/terraform-aws-modules/efs/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "efs" {
  source  = "terraform-aws-modules/efs/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

Data protection

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

11.30 Controls for open systems

2 Storage

2.3 Elastic File System (EFS)

EFS file systems should have encryption at rest enabled

3 Storage

3.3 Elastic File System (EFS)

EFS file systems should have encryption at rest enabled

Your Data-1

Your Data-2

Your Systems-3

7.1 Data Storage - Damage Protection

Protection of Information at Rest (SC-28)

D3.PC.Am.B.12

Framework coverage

Which controls from this module are active under each framework endpoint.

Control	FedRAMP Moderate Baseline Rev 4	Well-Architected Framework v10	AWS Benchmark v5.0.0	AWS Benchmark v6.0.0	CISA Cyber Essentials	Title 21 CFR Part 11	EU GMP Annex 11	FFIEC Cybersecurity Assessment Tool
EFS file systems should have encryption at rest enabled	●	●	●	●	●	●	●	●
EFS file systems should be encrypted with CMK	●	●	●	●	●	●	●	●

● enforced by default · ○ not activated by this endpoint