{ "Resources": { "AWSConfigRule": { "Type": "AWS::Config::ConfigRule", "Properties": { "ConfigRuleName": { "Ref": "ConfigRuleName" }, "Description": "Checks whether Amazon EFS are configured to encrypt file data using AWS KMS. The rule is NON_COMPLIANT if the Encrypted key is set to False on DescribeFileSystems or, if specified, KmsKeyId key on DescribeFileSystems is not matching KmsKeyId parameter.", "InputParameters": { "KmsKeyId": { "Fn::If": [ "KmsKeyId", { "Ref": "KmsKeyId" }, { "Ref": "AWS::NoValue" } ] } }, "Scope": { "ComplianceResourceTypes": [ "AWS::EFS::FileSystem" ] }, "Source": { "Owner": "AWS", "SourceIdentifier": "EFS_ENCRYPTED_CHECK" }, "MaximumExecutionFrequency": { "Ref": "MaximumExecutionFrequency" } } } }, "Parameters": { "ConfigRuleName": { "Type": "String", "Default": "efs-encrypted-check", "Description": "The name that you assign to the AWS Config rule.", "MinLength": "1", "ConstraintDescription": "This parameter is required." }, "MaximumExecutionFrequency": { "Type": "String", "Default": "TwentyFour_Hours", "Description": "The frequency that you want AWS Config to run evaluations for the rule.", "MinLength": "1", "ConstraintDescription": "This parameter is required.", "AllowedValues": [ "One_Hour", "Three_Hours", "Six_Hours", "Twelve_Hours", "TwentyFour_Hours" ] }, "KmsKeyId": { "Type": "String", "Default": "", "Description": "Amazon Resource Name (ARN) of the KMS key that is used to encrypt the EFS file system." } }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Required" }, "Parameters": [] }, { "Label": { "default": "Optional" }, "Parameters": [ "KmsKeyId" ] } ] } }, "Conditions": { "KmsKeyId": { "Fn::Not": [ { "Fn::Equals": [ "", { "Ref": "KmsKeyId" } ] } ] } } }