Profile Applicability:

  • Level 1

Description:

Amazon Elastic File System (EFS) supports resource-based policies that control access to the file system. EFS policies can grant permissions to specific AWS principals or allow broader access within a Virtual Private Cloud (VPC). It is critical to ensure that EFS policies do not allow unrestricted access to any client within the VPC, as this could lead to unauthorized access and potential data breaches.

Rationale: 

Overly permissive EFS file system policies that allow any client within a VPC to access the file system increase the risk of unauthorized access. Misconfigured policies can expose sensitive data to unintended users or services within the network. Implementing least privilege principles ensures that only authorized instances and users can access the file system.

Impact: 

  • Pros:

    • Reduces risk of unauthorized access to file systems.

    • Enforces least privilege access control within the VPC.

    • Enhances overall security posture.

  • Cons:

    • May restrict access to legitimate clients if policies are too restrictive.

    • Requires careful configuration to avoid disrupting legitimate services.

Default Value: 

By default, Amazon EFS does not have any resource-based policies applied. Access is controlled via VPC security groups and NFS permissions.

Pre-Requisite:

  • AWS IAM permissions:

    • elasticfilesystem:DescribeFileSystems

    • elasticfilesystem:DescribeFileSystemPolicy

    • elasticfilesystem:PutFileSystemPolicy

  • AWS CLI installed and configured.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elastic File System (EFS).

                 

  1. In the navigation pane, choose File Systems.

                 

  1. Select a file system to review.

           

  1. Go to the File System Policy tab.

                   

  1. Review the JSON policy:

    • Check for Effect: Allow statements with Principal: "*" or conditions that grant unrestricted access within the VPC.

  2. Repeat for all EFS file systems in the region.

Using AWS CLI:

Run the following command to list EFS file systems:

 aws efs describe-file-systems --region <region> --query 'FileSystems[*].FileSystemId' --output table

For each file system, run the following to retrieve its policy:

 aws efs describe-file-system-policy --file-system-id <file-system-id> --region <region>

Inspect the policy output for overly permissive statements, such as:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": "*",

      "Action": "elasticfilesystem:ClientMount",

      "Condition": {

        "StringEquals": {

          "aws:Vpc": "vpc-abc12345"

        }

      }

    }

  ]

}

  • Principal: "*" combined with aws:Vpc conditions may allow any client within the VPC to mount the EFS.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elastic File System (EFS).

  3. Select the file system to modify.

                         

  1. Go to the File System Policy tab.

  2. Click Edit Policy.

             

  1. Modify the policy to restrict access to specific IAM roles or EC2 instances:    

    • Replace Principal: "*" with specific IAM ARNs.

    • Use conditions to enforce stricter access controls (e.g., source VPC, subnet, or security groups).

                     

  1. Save the updated policy.

                 

Using AWS CLI:

Prepare a secure EFS file system policy JSON file (efs-policy.json). Example policy allowing only specific roles:

 {

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "AWS": "arn:aws:iam::123456789012:role/EFSReadOnlyRole"

      },

      "Action": "elasticfilesystem:ClientMount",

      "Condition": {

        "StringEquals": {

          "aws:Vpc": "vpc-abc12345"

        }

      }

    }

  ]

}

Apply the new policy to the EFS file system:

 aws efs put-file-system-policy --file-system-id <file-system-id> --policy file://efs-policy.json --region <region>

Verify the policy update:

 aws efs describe-file-system-policy --file-system-id <file-system-id> --region <region>

Backout Plan:

If the updated policy causes disruptions or unintended access issues:

  1. Revert to the previous EFS policy by restoring the last known good policy JSON.

                Use the AWS Console or CLI to reapply the previous policy:

 aws efs put-file-system-policy --file-system-id <file-system-id> --policy file://previous-policy.json --region <region>

  1. Monitor application and client access to ensure proper functionality is restored.

References:

  1. Amazon EFS File System Policies

  2. AWS CLI Command Reference – describe-file-system-policy

  3. Managing EFS File System Access

  4. IAM JSON Policy Elements: Principal

CIS Controls:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.3

Configure Data Access Control Lists – Apply least privilege principles to data access.

v8

6.5

Implement and Manage Data Encryption – Ensure encryption for sensitive file system data.

v7

14.6

Protect Information Through Access Control Lists – Apply strict access control policies to data.