Profile Applicability:
• Level 2
Description:
VPC endpoints provide private connectivity between your VPC and supported AWS services, such as Amazon EFS, without the need for an internet gateway, NAT device, or VPN connection. By using VPC endpoints, traffic between your Amazon EC2 instances and EFS file systems can remain within the AWS network, ensuring enhanced security and reduced exposure to potential external threats. Using VPC endpoints for EFS ensures that sensitive data is transferred privately and securely within the AWS infrastructure.
Rationale:
Using VPC endpoints for Amazon EFS helps avoid exposing file system traffic to the public internet, thereby enhancing security and reducing the risk of man-in-the-middle attacks or data interception. Traffic stays within the AWS network, which is highly secure and optimized for low-latency, high-throughput communication. Additionally, using VPC endpoints eliminates the need for public IP addresses, NAT gateways, or VPNs, simplifying the architecture while increasing privacy and compliance with data security standards.
Impact:
Pros:
Ensures that EFS traffic remains within the AWS private network, reducing the risk of data breaches
Improves security by eliminating the need for internet-facing access points to EFS
Reduces the exposure of traffic to external risks and potential attack vectors
Simplifies architecture by eliminating the need for public IP addresses and NAT gateways for internal communications
Helps meet compliance requirements such as HIPAA, PCI DSS, and GDPR by securing data in transit
Cons:
Requires the setup of VPC endpoints and appropriate route configurations, adding complexity to the network architecture
May incur additional costs for VPC endpoint usage depending on the amount of data transferred through the endpoint
Can cause potential connectivity issues if misconfigured, especially if proper routing or security group rules are not applied
Default Value:
By default, EFS is accessible over the internet unless configured with VPC endpoints. Public access to the file system is allowed unless VPC endpoints are set up to route traffic securely within the AWS network.
Pre-requisites:
IAM permissions to create and configure VPC endpoints and security groups
VPC with the necessary subnets and route tables to accommodate the endpoint
EFS file system already set up in the VPC with necessary mount targets
Knowledge of the network requirements and resources that need access to the EFS file system
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to VPC > Endpoints
Verify that there is a VPC endpoint for Amazon EFS
Ensure that the Service Name is set to com.amazonaws.vpce.us-east-1.efs (or appropriate region)
Ensure that the VPC and subnets are correctly selected to route traffic between EC2 instances and the EFS file system
Review the Route Tables associated with the VPC endpoint to confirm that traffic to EFS is routed securely through the endpoint
Verify that Security Groups and NACLs are configured to allow access to the file system from trusted EC2 instances or other AWS resources
Ensure that DNS resolution is enabled for EFS through VPC endpoint (EFS access points require DNS support for proper operation)
Test by connecting an EC2 instance to the EFS file system and ensure that traffic does not traverse the public internet
Using AWS CLI:
List the VPC endpoints available in your account:
aws ec2 describe-vpc-endpoints --filters "Name=service-name,Values=com.amazonaws.vpce.*.efs"
Describe a specific VPC endpoint to ensure it is set up for EFS:
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <vpc-endpoint-id>
Verify that the endpoint is associated with the correct VPC and subnet:
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <vpc-endpoint-id> --query "VpcEndpoint.[]"
Ensure that traffic is being routed through the VPC endpoint by reviewing the routing tables:
aws ec2 describe-route-tables --filters "Name=vpc-id,Values <vpc-id>"
Verify that DNS is enabled for the VPC endpoint for Amazon EFS:
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids <vpc-endpoint-id> --query "VpcEndpoint.DnsEntries"
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to VPC > Endpoints
Click Create Endpoint
In the Service Name section, select com.amazonaws.vpce.<region>.efs
Select the VPC and subnets where the endpoint should be deployed
In the Route Tables section, ensure that the route tables for the subnets associated with EC2 instances have been updated to include the new endpoint
Configure DNS resolution for the VPC endpoint, enabling DNS resolution for EFS through the VPC endpoint
Associate security groups to control access to the endpoint (ensuring that only trusted resources can communicate with the EFS system)
Complete the setup by reviewing and confirming the endpoint creation
Test the endpoint by mounting the EFS file system from an EC2 instance and verify that traffic is routed through the VPC endpoint without using public IPs
Using AWS CLI:
Create a VPC endpoint for Amazon EFS:
aws ec2 create-vpc-endpoint \ --vpc-id <vpc-id> \ --service-name com.amazonaws.vpce.us-east-1.efs \ --subnet-id <subnet-id> \ --security-group-id <security-group-id> \ --route-table-id <route-table-id>
Enable DNS resolution for the VPC endpoint:
aws ec2 modify-vpc-endpoint-dns-options \ --vpc-endpoint-id <vpc-endpoint-id> \ --dns-supported true
Test the VPC endpoint by accessing the EFS file system from an EC2 instance, ensuring traffic does not leave the AWS network
mount -t nfs4 -o nfsvers=4.1 <efs-dns-name>:/ <mount-point>
Backout Plan:
Using AWS Console:
Navigate to VPC > Endpoints
Select the VPC endpoint for EFS and click Delete
Revert any changes made to the security group or route tables
Test the environment to ensure that EC2 instances are still able to access EFS, if needed, through an alternate connection method (e.g., public IP access)
Using AWS CLI:
Delete the VPC endpoint:
aws ec2 delete-vpc-endpoint --vpc-endpoint-id <vpc-endpoint-id>
Update the route tables to remove the endpoint route:
aws ec2 replace-route --route-table-id <route-table-id> --destination-cidr-block <endpoint-cidr-block> --gateway-id <internet-gateway-id>
Ensure that DNS settings are reverted if necessary, and restore access to EFS through the previous method (e.g., public access)