
Issue with adding EFS file system policy through CDK V1

We have a CDK based code repo to generate AWS resources. We have an AWS Lambda for which the EFS was created, the code is written in CDK v1 (using aws-cdk/aws-efs ).

To that I want to add file system policy to Elastic File System (EFS) to enforce encryption in transit. The change itself is clear.

In CDK V2 (using aws-cdk-lib) this change would be simple as shown here.

import * as efs from "aws-cdk-lib/aws-efs"
    const fileSystemPolicy = new iam.PolicyDocument({
      statements: [new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        principals: [new iam.AnyPrincipal()],
        actions: [
        conditions: {
          Bool: { "aws:SecureTransport": "true" }

    const cfFs = new efs.FileSystem(this, 'MyLambdaFilesystem', {
      vpc: vpc,
      fileSystemPolicy: fileSystemPolicy

However, I could not find a way to do it with CDK v1 which is what I need. Looked at this doc for lambda.FileSystem which mentions FileSystemConfig containing policies but seems like we cannot set that.


Deleted the Updates from the question here to avoid causing confusion, as the updated answer resolves this issue.


  • Release 2.72.0 added the fileSystemPolicy prop to the EFS FileSystem construct in March 2023.

    For CDK v1, set the FileSystemPolicy manually with an escape hatch property override:

    const cfFs = new efs.FileSystem(this, "MyLambdaFilesystem", {
      vpc: vpc
    const cfnCfFs = cfFs.node.defaultChild as efs.CfnFileSystem;
    cfnCfFs.addPropertyOverride("FileSystemPolicy", fileSystemPolicy.toJSON());

    The above code produces the same synthesized CloudFormation output as OP's v2 code.

    [Edit]: Here is the FileSystemPolicy from the CloudFormation template that cdk synth creates for me:

    "MyLambdaFilesSystemEAD92DBE": {
     "Type": "AWS::EFS::FileSystem",
     "Properties": {
      "Encrypted": true,
      "FileSystemPolicy": {
       "Statement": [
         "Action": [
         "Condition": {
          "Bool": {
           "aws:SecureTransport": "true"
         "Effect": "Allow",
         "Principal": {
          "AWS": "*"
       "Version": "2012-10-17"