Profile Applicability:
• Level 2
Description:
Controlling network access to Amazon EFS services is essential to ensure that only authorized EC2 instances, applications, or users can access the file system. This involves using VPC security groups and network access control lists (NACLs) to restrict access to EFS based on IP addresses, subnets, and user groups. Properly managing network access ensures that sensitive data stored in EFS is not exposed to unauthorized resources within or outside the VPC.
Rationale:
Network access control to EFS is vital for securing shared file systems. By controlling access at the network level using security groups and NACLs, you can limit access to only those EC2 instances that require it. This reduces the attack surface and prevents unauthorized users or applications from accessing or tampering with sensitive data stored in the EFS file system.
Impact:
Pros:
Ensures that only authorized EC2 instances or users can access the EFS file system
Provides granular control over access using VPC security groups and NACLs
Helps prevent unauthorized access and improves overall security posture
Reduces the risk of security breaches by limiting access to only necessary resources
Cons:
Misconfiguration of security groups or NACLs can accidentally block legitimate access to the EFS file system
Requires ongoing monitoring and management to ensure proper access control settings
May increase complexity in configuring and managing network access rules, especially in large environments
Default Value:
By default, EFS is not restricted by network access settings, and all resources within the VPC can access it. Network access must be manually configured using security groups and NACLs to restrict access.
Pre-requisites:
IAM permissions to create and manage security groups, NACLs, and EFS resources
Properly configured VPC and subnets with the necessary security groups
A well-defined access control strategy to specify which resources should have access to EFS
Understanding of network topology and how traffic should flow to the EFS service
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EFS > File Systems
Verify the EFS file system has been created and that mount targets have been configured in the appropriate subnets
Navigate to EC2 > Security Groups
Check that the security group(s) associated with the EFS mount targets only allow inbound NFS traffic (port 2049) from authorized EC2 instances or networks
Review VPC Network ACLs to ensure only authorized subnets or IP addresses can access the EFS mount targets
Verify that the necessary security groups are associated with EC2 instances that need access to the EFS file system
Ensure that any other network resources (e.g., Lambda, on-premises systems) requiring access to EFS are configured with appropriate access rules
Using AWS CLI:
List the security groups associated with the EFS file system:
aws efs describe-mount-targets --file-system-id <file-system-id>
Review the security group settings to ensure that inbound NFS traffic (port 2049) is allowed only from authorized instances:
aws ec2 describe-security-groups --group-ids <security-group-id>
Verify network ACLs for the relevant subnets to ensure that only authorized IP ranges are allowed access:
aws ec2 describe-network-acls --network-acl-id <network-acl-id>
Check the NFS access for EC2 instances:
aws efs describe-mount-targets --file-system-id <file-system-id> --query "MountTargets[*].SecurityGroups"
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EFS > File Systems
Select the EFS file system and go to the Network tab
Click Add Mount Target to create mount targets in the necessary subnets and Availability Zones
Under Security Groups, create or select an existing security group that restricts access to the EFS file system to only authorized resources. For example, configure the security group to allow inbound access only on port 2049 (NFS) from specific EC2 instances or subnets.
Navigate to EC2 > Security Groups and ensure that the correct rules are applied, such as allowing only authorized subnets or EC2 instances to connect to the EFS mount targets
Review Network ACLs for the VPC and ensure that only authorized IP addresses or subnets can access the EFS service
Using AWS CLI:
Create or modify a security group to restrict access to the EFS mount targets:
aws ec2 create-security-group --group-name EFS-Security-Group --description "Security group for EFS access"
Add an inbound rule to allow only specific IP ranges or security groups access to the EFS mount targets on port 2049:
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 2049 \ --cidr <authorized-ip-range>
Associate the security group with the EFS mount targets:
aws efs create-mount-target \ --file-system-id <file-system-id> \ --subnet-id <subnet-id> \ --security-groups <security-group-id>
Modify the VPC network ACLs to restrict access to specific IP addresses or subnets:
aws ec2 create-network-acl-entry \ --network-acl-id <network-acl-id> \ --rule-number 100 \ --protocol tcp \ --port-range From=2049,To=2049 \ --cidr-block <authorized-ip-range> \ --egress \ --rule-action allow
Backout Plan:
Using AWS Console:
Navigate to EFS > File Systems
Select the EFS file system
Click Delete Mount Target to remove a mount target if access needs to be revoked
Remove or modify the security group rules to allow more permissive access if needed
Delete or modify network ACL rules if necessary to widen access
Using AWS CLI:
Remove a security group rule that allows NFS traffic on port 2049:
aws ec2 revoke-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 2049 \ --cidr <authorized-ip-range>
Delete the mount target:
aws efs delete-mount-target --mount-target-id <mount-target-id>
Revert network ACL changes to allow broader access:
aws ec2 delete-network-acl-entry \ --network-acl-id <network-acl-id> \ --rule-number 100