EFS access points should be configured to enforce a user identity
EFS access points should be configured to enforce a user identity

Amazon EFS access points are entry points into EFS file systems that allow you to manage application access to shared datasets. An EFS access point enables you to use a POSIX user identity for accessing the associated EFS file system and restrict access to a directory available in the file system. You can configure an access point to enforce POSIX user and group information for all the file system requests made through your access point. To use this option, you must specify the file system identity to enforce when you create your access point. You have to configure the "User ID", "Group ID", and "Secondary group IDs" attributes when creating your EFS access point. Once these attributes are configured, and the user enforcement is enabled, Amazon EFS replaces the NFS client's user and group IDs with the POSIX identity configured on your access point for all file system operations. To follow best practices, ensure a user identity is enforced for your file system using an Amazon EFS access point.

Remediation Steps

To enforce a POSIX user identity using an Amazon EFS access point via AWS Management Console:

  1. Access the Amazon EFS console at https://console.aws.amazon.com/efs/ and choose Access points.
  2. Choose Create access point and follow the Amazon EFS setup wizard to configure the new access point.
  3. For POSIX user - optional, enter the user ID, group ID, and the secondary group IDs for all the file system operations performed through the new access point.
  4. Once all the required settings are configured, choose Create access point to deploy your new Amazon EFS access point.

Useful Links

  1. Amazon EFS service FAQs
  2. Security in Amazon EFS
  3. Working with Amazon EFS access points
  4. create-access-point CLI command
Blog

Learn cloud security with our research blog