iCompaas Support

Profile Applicability:

• Level 2

Description:

AWS Elastic File System (EFS) provides a simple, scalable file storage solution that can be used with various AWS services and applications. EFS access points provide an easy way to manage access to EFS file systems by allowing you to enforce specific access controls, directory structures, and network configurations for different applications or users. Ensuring that EFS access points are properly managed enables better security, scalability, and access control.

Rationale:

Managing EFS access points provides:

• Fine-grained access control to file systems for specific applications or users
  

• Simplified management of file system permissions through IAM roles and policies
  

• Improved security by isolating different workloads or users' access to specific directories within the file system
  

• Enhanced scalability by enabling multiple access points to serve different use cases
  

Default Value:

EFS access points are not automatically created. You must manually create and configure them to enable more granular access control.

Impact:

Pros:
 • Simplifies access management by isolating access for different workloads or users
• Enhances security by enforcing directory-level access controls and IAM policies
• Reduces the risk of accidental data exposure or misuse through targeted access
 • Enables specific configurations (e.g., mounted directories, IAM roles) per access point

Cons:
 • Requires additional setup and configuration for each access point
• Incorrect configuration of access points could lead to unauthorized access or operational errors
 • Requires monitoring and maintenance to ensure that policies remain appropriate as workloads evolve

Pre-requisites:

IAM Permissions Required:
 elasticfilesystem:CreateAccessPoint, elasticfilesystem:DescribeAccessPoints, elasticfilesystem:DeleteAccessPoint
 IAM permissions to create and manage EFS access points and attach appropriate policies

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the AWS Management Console

2. Navigate to EFS > Access Points

3. Ensure that you have created the necessary access points for your EFS file system

4. Verify the configuration settings of each access point, including the directory path, network settings, and IAM roles

5. Test the access by attempting to mount the EFS using the access point from an EC2 instance or application

6. Review IAM policies attached to the access point and ensure they follow the principle of least privilege

Using AWS CLI:

• aws efs describe-access-points \
    --file-system-id fs-xxxxxxxxxxxxxxxxx

• aws efs describe-access-point \
    --access-point-id fsap-xxxxxxxxxxxxxxxxx

• aws efs delete-access-point \
    --access-point-id fsap-xxxxxxxxxxxxxxxxx

Implementation Plan

Using AWS Console:

1. Navigate to EFS > Access Points and click Create access point
2. Select the EFS file system and configure the access point settings, such as the directory path, IAM roles, and network settings
3. Attach the appropriate IAM policies to the access point to grant or restrict access
4. Review the access point configuration and confirm by clicking Create
5. Test the access point by mounting it to an EC2 instance and verifying that the file system is accessible via the designated directory

Using AWS CLI:
 Step 1: Create the EFS access point

aws efs create-access-point \
  --file-system-id fs-xxxxxxxxxxxxxxxxx \
  --posix-user Uid=1001,Gid=1001 \
  --root-directory "Path=/mydirectory" \
  --client-token <unique-token>

Step 2: Verify the created access point

aws efs describe-access-points \
  --file-system-id fs-xxxxxxxxxxxxxxxxx

Step 3: Attach IAM policies to the access point

aws iam attach-role-policy \
  --role-name <role-name> \
  --policy-arn arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess

Step 4: Test the access point by mounting it on an EC2 instance

sudo mount -t efs -o accesspoint=fsap-xxxxxxxxxxxxxxxxx fs-xxxxxxxxxxxxxxxxx:/ /mnt/efs

Backout Plan

Using AWS Console:

1. If the access point is misconfigured, delete the access point or modify its configuration to match the desired access rules
2. Revert IAM policy changes or remove policies if they lead to unintended access
3. If required, recreate the access point with updated settings

Using AWS CLI:
 To delete an access point:

aws efs delete-access-point \
  --access-point-id fsap-xxxxxxxxxxxxxxxxx

To remove IAM policies attached to the access point role:

aws iam detach-role-policy \
  --role-name <role-name> \
  --policy-arn arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess

References:

• https://docs.aws.amazon.com/efs/latest/ug/working-with-access-points.html
• https://docs.aws.amazon.com/cli/latest/reference/efs/create-access-point.html
• https://aws.amazon.com/efs/