EFS File System (encrypted, in-transit TLS)

aws-efs

Amazon EFS file system with mount targets, a least-privilege NFS security group, storage-tiering lifecycle policies, automatic backups, and a resource policy that enforces encryption in transit. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0.

Networking is self-contained: leave subnet_ids empty and the module discovers the account's default VPC and places one mount target in each of its subnets — ideal for a quick test box. For real deployments, pin your own private subnets.

Secure defaults:

• Encryption at rest always on (encrypted = true): the AWS-managed aws/elasticfilesystem key by default, or your own CMK via kms_key_id
• Encryption in transit enforced: the file system policy denies any non-TLS access (aws:SecureTransport = false) and grants client access only to policy_principal_arns (default: the current account root)
• No public NFS: the mount-target security group allows port 2049 only from allowed_cidrs / allowed_security_group_ids; with neither set it defaults to the VPC's own CIDR (in-VPC clients only). It defines no egress rule.
• Automatic daily backups via AWS Backup (enable_backup_policy = true)
• Cost-aware lifecycle: files transition to Infrequent Access after 30 days and back to Standard on first access; bursting throughput has no reserved charge

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (tofu fmt, validate, tflint, checkov). Live apply/verify/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).