Profile Applicability:
• Level 2
Description:
File-level access control for Amazon EFS is crucial for securing sensitive data stored in the file system. Mount targets within a VPC allow EC2 instances and other resources to connect to the EFS file system. Proper configuration of file-level access controls ensures that only authorized EC2 instances can access the file system at the file system level, based on permissions and network settings. This includes restricting access via security groups, IAM roles, and access points for specific file-level controls.
Rationale:
Implementing file-level access control with mount targets ensures that EFS is accessible only by those resources that require access. This control reduces the attack surface by ensuring only authorized EC2 instances, applications, or services can interact with sensitive data. By using access points, security groups, and proper IAM permissions, organizations can enforce the principle of least privilege while providing controlled access to critical data.
Impact:
Pros:
Provides granular control over which EC2 instances and applications can access the EFS file system
Limits the potential for unauthorized access by enforcing security policies at the file level
Uses security groups and IAM roles to enforce strict access rules based on instances, subnets, and user roles
Improves data security by isolating access to the file system and ensuring that only necessary entities can read/write to files
Cons:
Misconfiguration of security groups, NACLs, or IAM roles could block legitimate access to EFS
Increased complexity when managing access policies and ensuring proper configurations across multiple EC2 instances or services
Additional overhead in managing access points and security rules for large-scale environments
Default Value:
By default, no access controls are applied to Amazon EFS. The file system is accessible by any EC2 instance that can communicate with the mount targets in the VPC unless specific configurations, such as security groups or IAM roles, are set.
Pre-requisites:
IAM permissions to create, configure, and manage EFS file systems, security groups, NACLs, and mount targets
A defined network strategy and VPC with proper subnets and route tables
EC2 instances or other resources requiring access to EFS with appropriate security groups and IAM roles
Knowledge of specific file-level access requirements, such as which applications or services need access to the file system
Remediation
Test Plan
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EFS > File Systems
Verify that EFS file systems are associated with mount targets in the appropriate subnets of the VPC
Review the mount target security groups to ensure they are correctly configured to restrict access to authorized instances only
Check that the IAM roles and policies for EC2 instances have the required permissions to access EFS
Review the access points and ensure that only authorized EC2 instances can use them for file-level access control
Ensure that the file-level permissions are correctly configured on the EFS file system to enforce specific read/write access for users and groups
Using AWS CLI:
List all EFS file systems:
aws efs describe-file-systems
Describe a specific EFS file system to verify its mount targets and access control settings:
aws efs describe-file-systems --file-system-id <file-system-id>
Verify the security groups associated with the mount targets to ensure only authorized EC2 instances can access the file system:
aws efs describe-mount-targets --file-system-id <file-system-id> --query "MountTargets[*].SecurityGroups"
Check the IAM roles for EC2 instances to ensure they have the appropriate permissions to access EFS:
aws iam list-attached-role-policies --role-name <role-name>
Verify that the access points are configured correctly:
aws efs describe-access-points --file-system-id <file-system-id>
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EFS > File Systems
Select an EFS file system and go to the Network tab
Click Create Mount Target to add mount targets in the relevant subnets
Select the security groups for the mount targets to restrict access to authorized EC2 instances
Enable IAM roles for EC2 instances to allow them to securely access the EFS file system
Optionally, configure Access Points to define more granular file-level access control for specific applications or users
Verify that the access permissions (read/write) on the file system are configured to align with the security policy
Using AWS CLI:
Create a mount target in a specific subnet with security group restrictions:
aws efs create-mount-target \ --file-system-id <file-system-id> \ --subnet-id <subnet-id> \ --security-groups <security-group-id>
Create an access point for file-level access control:
aws efs create-access-point \ --file-system-id <file-system-id> \ --posix-user Uid=1001,Gid=1001 \ --root-directory "Path=/mydata"
Attach the necessary IAM role to an EC2 instance for EFS access:
aws iam attach-role-policy \ --role-name <role-name> \ --policy-arn arn:aws:iam::aws:policy/AmazonElasticFileSystemClientFullAccess Verify the file system's access control settings and mount targets: aws efs describe-file-systems --file-system-id <file-system-id>
Backout Plan:
Using AWS Console:
Navigate to EFS > File Systems
Select the EFS file system and remove the mount target if necessary
Delete or modify security group rules to allow access to other instances or resources if required
Revert IAM role and policy changes if access needs to be restored
Delete or modify access points if they were misconfigured
Using AWS CLI:
Remove a mount target:
aws efs delete-mount-target --mount-target-id <mount-target-id>
Delete an access point:
aws efs delete-access-point --access-point-id <access-point-id>
Revert IAM role and policy changes:
aws iam detach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::aws:policy/AmazonElasticFileSystemClientFullAccess