Skip to main content

aws_efs_file_systems resource

[edit on GitHub]

Use the aws_efs_file_systems InSpec audit resource to test the properties of some or all AWS EFS file systems. To audit a single EFS file system, use aws_efs_file_ststem (singular).

This resource is added to InSpec AWS resource pack in version 1.10.0 and it is available with InSpec 4.18.108 and later versions.


An aws_efs_file_systems resource block collects a group of EFS file system descriptions and then tests that group.

describe aws_efs_file_systems
  it { should exist }


This resource does not expect any parameters.


tagsThe list of tags that the EFS file system has.
namesThe value of the Name (case sensitive) tag if it is defined.
file_system_idsThe ID of the EFS file system.
creation_tokensThe creation token that the EFS file system is associated.
owner_idsThe owner id of the EFS file system.
entriesProvides access to the raw results of the query, which can be treated as an array of hashes.
creation_timesThe creation time of the EFS file system
performance_modesThe performance mode of the EFS file system, e.g. ‘maxIO’.
encryption_statusThis indicates whether the EFS file system is encrypted or not.
throughput_modesThe throughput mode of the EFS file system.
kms_key_idsThe ID of an AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the encrypted EFS file system.
size_in_bytesThe latest known metered size (in bytes) of data stored in the file system, in its value field.
life_cycle_statesThe life cycle phase of the EFS file system, e.g. ‘deleting’.


Ensure you have exactly 3 file systems

describe aws_efs_file_systems do
  its("entries.count") { should cmp 3 }

Use this InSpec resource to request the IDs of all EFS file systems, then test in-depth using aws_efs_file_system.

aws_efs_file_systems.file_system_ids.each do |file_system_id|
  describe aws_efs_file_system(file_system_id) do
    its("tags") { should include("companyName" => "My Company Name") }
    it { should be_encrypted }
    its("throughput_mode") { should eq "bursting" }
    its("performance_mode") { should eq "generalPurpose" }


For a full list of available matchers, please visit our Universal Matchers page.


The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_efs_file_systems.where( <property>: <value>) do
  it { should exist }

describe aws_efs_file_systems.where( <property>: <value>) do
  it { should_not exist }

AWS Permissions

Your Principal will need the elasticfilesystem:DescribeFileSystems action set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EFS, and Actions, Resources, and Condition Keys for Identity And Access Management.