Profile Applicability:
• Level 2
Description:
Mount targets in Amazon EFS are used to allow EC2 instances to access the EFS file system over the network. By associating appropriate security groups with mount targets, administrators can control the inbound and outbound traffic to the file system. Managing mount target security groups ensures that only authorized EC2 instances or services can access the EFS file system, helping prevent unauthorized access and maintaining a secure network configuration.
Rationale:
Using security groups to control access to EFS mount targets is a key step in securing the data in the file system. Security groups act as firewalls, allowing traffic only from trusted IP addresses, subnets, or EC2 instances that require access. This ensures that unauthorized instances cannot access the file system, reducing the risk of data leaks, tampering, or breaches. Proper management of these security groups ensures that access is granted based on the least privilege principle, which is a fundamental security measure.
Impact:
Pros:
Enhances security by restricting access to EFS to only trusted EC2 instances or IP ranges
Allows for granular control over the inbound and outbound traffic to the EFS file system
Simplifies managing network security as part of overall VPC security architecture
Improves compliance with network security policies by enforcing access controls at the mount target level
Cons:
Misconfigurations may unintentionally block access to legitimate EC2 instances or services
Requires ongoing management and updates to security groups as instances are added or removed
Increased complexity when managing multiple security groups across different environments and applications
Default Value:
By default, EFS does not automatically associate any security groups with mount targets, meaning that no network-level restrictions are applied until security groups are configured manually.
Pre-requisites:IAM permissions to create, modify, and manage security groups, NACLs, and EFS resources (e.g., ec2:AuthorizeSecurityGroupIngress, ec2:RevokeSecurityGroupIngress)
Understanding of the required access for EC2 instances or services that need access to EFS
Existing EC2 instances or resources with associated security groups and VPC configurations
A defined security strategy to control access to EFS based on application and user needs
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EFS > File Systems
Select the EFS file system to which the mount targets are associated
Under the Network section, check the Mount Targets tab to see which mount targets have been created
Review the Security Groups associated with each mount target and verify that only the required security groups are applied
Ensure that the security group rules for these mount targets allow only necessary traffic (e.g., NFS traffic on port 2049 from trusted EC2 instances or specific subnets)
Verify that no security groups are open to all inbound traffic (e.g., port 2049 open to 0.0.0.0/0)
Using AWS CLI:
List all EFS file systems:
aws efs describe-file-systems
Describe the mount targets for the file system:
aws efs describe-mount-targets --file-system-id <file-system-id>
Verify the security groups associated with the mount targets:
aws efs describe-mount-targets --file-system-id <file-system-id> --query "MountTargets[*].SecurityGroups"
List the inbound rules for the security group to ensure NFS traffic is allowed only from trusted IP ranges or EC2 instances:
aws ec2 describe-security-groups --group-ids <security-group-id> --query "SecurityGroups[0].IpPermissions"
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EFS > File Systems
Select the EFS file system and go to the Network tab
Click Create Mount Target if one does not already exist or select an existing mount target
Choose the subnet where the mount target should be created and ensure it is in the correct Availability Zone for high availability
In the Security Groups section, either select an existing security group or create a new one that restricts access to the file system to authorized EC2 instances only
Ensure that the security group allows inbound NFS traffic (port 2049) only from trusted EC2 instances, subnets, or specific IP ranges
After configuring the security groups, click Create Mount Target to apply the settings
Test the configuration by attempting to access the EFS file system from an authorized EC2 instance and verify that other EC2 instances or unauthorized IPs cannot access the file system
Using AWS CLI:
Create a mount target in a specific subnet with restricted access:
aws efs create-mount-target \ --file-system-id <file-system-id> \ --subnet-id <subnet-id> \ --security-groups <security-group-id>
Modify an existing security group to allow only trusted sources to access the EFS mount target on port 2049:
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 2049 \ --cidr <trusted-ip-range>
Remove overly permissive inbound rules, such as allowing port 2049 from 0.0.0.0/0:
aws ec2 revoke-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 2049 --cidr 0.0.0.0/0
Verify the changes by listing the security groups associated with the mount target:
aws efs describe-mount-targets --file-system-id <file-system-id> --query "MountTargets[*].SecurityGroups"
Backout Plan:
Using AWS Console:
Navigate to EFS > File Systems
Select the EFS file system
Click Delete Mount Target to remove the mount target if access needs to be revoked
Modify or delete the security group rules to allow broader access, if necessary
Revert IAM role or NACL changes to restore the previous configuration if required
Using AWS CLI:
Delete a mount target:
aws efs delete-mount-target --mount-target-id <mount-target-id>
Revert security group rules to allow more permissive access if needed:
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 2049 \ --cidr <previous-ip-range>