Profile Applicability:
Level 2
Description:
Amazon Elastic File System (EFS) provides scalable file storage for use with Amazon EC2 instances. EFS Mount Targets allow EC2 instances to mount the file system using NFS protocols. By default, EFS mount targets are created within a VPC and are associated with security groups that control network traffic.
To ensure security, EFS Mount Targets should not be publicly accessible, which means they should not have 0.0.0.0/0 in their security group inbound rules for NFS (port 2049). Allowing public access could expose the file system to unauthorized users and potential attacks.
Rationale:
Publicly accessible EFS mount targets pose significant security risks, such as:
Unauthorized access: Exposing EFS to the public internet increases the attack surface.
Data breaches: Unauthorized users could access sensitive files stored in EFS.
Exploitation of vulnerabilities: Open NFS ports can be exploited by attackers.
Restricting EFS mount targets to private IP ranges or specific security groups reduces the risk of data breaches and unauthorized access.
Impact:
Pros:
Protects sensitive data from public exposure.
Reduces the attack surface for NFS-based attacks.
Aligns with security best practices for AWS resources.
Cons:
EC2 instances outside the VPC or across regions may require additional networking configurations (like VPN or VPC peering) to access EFS.
Potential disruptions if applications currently rely on public access.
Default Value:
EFS mount targets are not publicly accessible by default when created in a private subnet with appropriate security groups.
However, misconfigurations in security groups can inadvertently expose mount targets.
Pre-Requisite:
AWS IAM Permissions:
elasticfilesystem:DescribeMountTargets
ec2:DescribeSecurityGroups
elasticfilesystem:ModifyMountTargetSecurityGroups
VPC & Security Group Access:
Ability to view and modify security group rules.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Elastic File System (EFS).
Choose File Systems → Select the EFS you want to review.
Go to the Network tab → Under Mount Targets, note the Mount Target IDs and associated Security Groups.
Navigate to EC2 → Security Groups.
For each Security Group associated with the mount targets:
Go to the Inbound Rules tab.
Check for NFS (port 2049) with 0.0.0.0/0 or ::/0 as the source.
Pass: No public access (0.0.0.0/0 or ::/0) is allowed on port 2049.
Fail: Public access is detected on port 2049.
Using AWS CLI:
List Mount Targets:
aws efs describe-mount-targets --file-system-id <efs-id> --region <region>
Check Security Groups for Mount Targets:
aws ec2 describe-security-groups --group-ids <sg-id> --region <region>
Filter Inbound Rules for Public NFS Access:
aws ec2 describe-security-groups --group-ids <sg-id> --region <region> \ --query 'SecurityGroups[*].IpPermissions[?ToPort==`2049`].IpRanges[*].CidrIp'
Pass: No 0.0.0.0/0 or ::/0 in the IpRanges.
Fail: If 0.0.0.0/0 or ::/0 exists for port 2049.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Console.
Navigate to EC2 → Security Groups.
Locate the Security Group attached to the EFS Mount Target.
Edit Inbound Rules:
Remove any rule allowing port 2049 (NFS) from 0.0.0.0/0 or ::/0.
Add a rule to allow port 2049 only from private CIDR ranges or trusted security groups.
Save Changes.
Using AWS CLI:
Revoke Public Access:
aws ec2 revoke-security-group-ingress \ --group-id <sg-id> \ --protocol tcp \ --port 2049 \ --cidr 0.0.0.0/0
Allow Access from Private CIDR Range:
aws ec2 authorize-security-group-ingress \ --group-id <sg-id> \ --protocol tcp \ --port 2049 \ --cidr <private-cidr-range>
Verify Security Group Changes:
aws ec2 describe-security-groups --group-ids <sg-id> --region <region>
Backout Plan:
If removing public access causes unintended disruptions:
Using AWS Console:
Navigate to EC2 → Security Groups.
Re-add the inbound rule for NFS (port 2049) with 0.0.0.0/0.
Using AWS CLI:
aws ec2 authorize-security-group-ingress \ --group-id <sg-id> \ --protocol tcp \ --port 2049 \ --cidr 0.0.0.0/0