Profile Applicability:
- Level 1
Description:
Amazon Elastic File System (EFS) access points provide application-specific entry points into an EFS file system. These access points can enforce user identity by specifying a POSIX user and group to use when accessing the file system. Enforcing user identity ensures that all file system requests through the access point use the defined POSIX user, regardless of the identity of the client making the request.
Rationale:
Enforcing user identity at EFS access points enhances security by ensuring that all file operations are performed under a controlled and predefined user context. This eliminates the risk of unauthorized access and helps maintain proper file permissions, reducing the chance of privilege escalation or data breaches.
Impact:
Pros:
Ensures consistent user identity for all file system operations.
Reduces risks associated with unauthorized file access.
Simplifies access management for shared file systems.
Cons:
May impact applications relying on dynamic user identities.
Misconfiguration could result in access issues or permission errors.
Default Value:
By default, EFS access points do not enforce user identity unless explicitly configured with a PosixUser in the access point settings.
Pre-Requisite:
AWS IAM permissions:
elasticfilesystem:DescribeAccessPoints
elasticfilesystem:CreateAccessPoint
elasticfilesystem:UpdateAccessPoint
elasticfilesystem:DeleteAccessPoint
AWS CLI installed and configured.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Elastic File System (EFS)
In the navigation pane, choose Access Points.
Select the access point to review.
In the POSIX User section, verify if the UID and GID are set.
If not set, the access point does not enforce a user identity.
Using AWS CLI:
Run the following command to list EFS access points:
aws efs describe-access-points --region <region> --query 'AccessPoints[*].[AccessPointId,PosixUser]' --output table
Verify that PosixUser includes Uid and Gid for each access point.
Example output:
------------------------------------------
DescribeAccessPoints | +----------------------+---------------+ | AccessPointId | PosixUser | +----------------------+---------------+ | fsap-0123456789abcd | Uid=1001 | | | Gid=1001 | +----------------------+---------------+
If PosixUser is empty or missing, the access point is non-compliant.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Elastic File System (EFS).
Choose Access Points > Create Access Point.
Select the target file system.
In the POSIX User section:
Set User ID (UID) (e.g., 1001).
Set Group ID (GID) (e.g., 1001).
(Optional) Add Secondary Group IDs if needed.
Configure the root directory and permissions.
Review the settings and click Create Access Point.
Using AWS CLI:
Run the following command to create an EFS access point enforcing user identity:
aws efs create-access-point \
--file-system-id <file-system-id> \
--posix-user Uid=1001,Gid=1001 \
--root-directory 'Path=/data,CreationInfo={OwnerUid=1001,OwnerGid=1001,Permissions=750}' \
--region <region>
To update an existing access point to enforce user identity:
Note: EFS does not support direct updates to PosixUser; create a new access point if needed.
Verify the new access point:
aws efs describe-access-points --region <region> --query 'AccessPoints[*].[AccessPointId,PosixUser]'
Backout Plan:
If the enforced user identity causes access issues:
Identify the affected access point.
Create a new access point without the PosixUser configuration using either the AWS Console or AWS CLI.
Update applications or services to use the new access point.
Delete the problematic access point to avoid confusion.