Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Root Access for EFS File Systems

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon EFS file systems are configured to deny Network File System (NFS) clients the ability to use root access by default.

Security

The most effective way to reduce the risk of unauthorized access to your Amazon EFS file systems is to deny all NFS clients root access to your EFS resources. Instead, a best practice is to use resource policies to control NFS client access to your file systems in a secure way by implementing the Principle of Least Privilege (POLP). By using secure access policies, you can allow clients to perform specific actions on your file system, including read-only and write operations, without the need for root access.

Audit

To determine if your Amazon EFS file systems are configured to prevent root access by default, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.

  3. In the main navigation panel, under Elastic File System, choose File systems.

  4. Click on the name/ID (link) of the EFS file system that you want to examine.

  5. Select the File system policy tab and check the Policy document for an "Action" element value set to "elasticfilesystem:ClientRootAccess". If the "elasticfilesystem:ClientRootAccess" action is listed in the file system policy, check the "Effect" element value configured for the associated policy statement. If the "Effect" element is set to "Allow" and the "Action" is set to "elasticfilesystem:ClientRootAccess" without any "Condition" clauses defined, the root access to the selected Amazon EFS file system is not disabled.

  6. Repeat steps no. 4 and 5 for each Amazon EFS file system available within the current AWS region.

  7. Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

  1. Run describe-file-systems command (OSX/Linux/UNIX) with custom query filters to list the name of each Amazon EFS file system provisioned in the selected AWS region:

    aws efs describe-file-systems
  --region us-east-1
  --output table
  --query 'FileSystems[*].FileSystemId'

  2. The command output should return a table with the requested file system ID(s):

    --------------------------
|   DescribeFileSystems  |
+------------------------+
|  fs-0abcd1234abcd1234  |
|  fs-01234abcd1234abcd  |
+------------------------+

  3. Run describe-file-system-policy command (OSX/Linux/UNIX) using the ID of the file system that you want to examine as the identifier parameter and the custom query filters to describe the access policy defined for the selected file system:

    aws efs describe-file-system-policy
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --query 'Policy'

  4. The command request should return the access policy document associated with the selected EFS file system:

    1. If the following error message is returned: "An error occurred (PolicyNotFound) when calling the DescribeFileSystemPolicy operation: None", the selected Amazon EFS file system does not have an access policy attached.
    2. If the file system has an access policy attached and the "elasticfilesystem:ClientRootAccess" action is listed in the policy statement, check the "Effect" element value configured for that statement. If the "Effect" element is set to "Allow" and the "Action" is set to "elasticfilesystem:ClientRootAccess" without any "Condition" clauses available, as shown in the example below, the root access to the selected Amazon EFS file system is not disabled: 
      	{
		"Version": "2012-10-17",
		"Id": "cc-efs-file-system-policy",
		"Statement": [
			...
			{
				"Sid": "cc-system-policy-access",
				"Effect": "Allow",
				"Principal": {
					"AWS": "*"
				},
				"Action": [
					"elasticfilesystem:ClientRootAccess"
				],
				"Resource": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0abcd1234abcd1234"
			}
			...
		]
	}

  5. Repeat steps no. 3 and 4 for each Amazon EFS file system available in the selected AWS region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To prevent root access to your existing Amazon EFS file systems by default, perform the following actions:

Using AWS CloudFormation

  1. CloudFormation template (JSON):

    {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Disable Root Access",
	"Resources": {
		"MountTargetVPC": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "172.16.0.0/16"
			}
		},
		"MountTargetSubnet": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"CidrBlock": "172.16.1.0/24",
				"VpcId": {
					"Ref": "MountTargetVPC"
				},
				"AvailabilityZone": "us-east-1a"
			}
		},
		"EFSFileSystem": {
			"Type": "AWS::EFS::FileSystem",
			"Properties": {
				"Encrypted": true,
				"PerformanceMode": "generalPurpose",
				"ThroughputMode": "bursting",
				"FileSystemPolicy": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Sid": "deny-root-access",
							"Effect": "Deny",
							"Principal": {
								"AWS": "*"
							},
							"Action": [
								"elasticfilesystem:ClientRootAccess"
							],
							"Resource": "*"
						}
					]
				}
			}
		},
		"EFSMountTarget": {
			"Type": "AWS::EFS::MountTarget",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"SubnetId": {
					"Ref": "MountTargetSubnet"
				},
				"SecurityGroups": [
					{
						"Fn::GetAtt": [
							"MountTargetVPC",
							"DefaultSecurityGroup"
						]
					}
				]
			}
		},
		"EFSAccessPoint": {
			"Type": "AWS::EFS::AccessPoint",
			"Properties": {
				"FileSystemId": {
					"Ref": "EFSFileSystem"
				},
				"PosixUser": {
					"Uid": "13234",
					"Gid": "1322",
					"SecondaryGids": [
						"1344",
						"1452"
					]
				},
				"RootDirectory": {
					"CreationInfo": {
						"OwnerGid": "708798",
						"OwnerUid": "7987987",
						"Permissions": "0755"
					},
					"Path": "/web/production"
				}
			}
		}
	}
}

  2. CloudFormation template (YAML):

    AWSTemplateFormatVersion: '2010-09-09'
	Description: Disable Root Access
	Resources:
	MountTargetVPC:
		Type: AWS::EC2::VPC
		Properties:
		CidrBlock: 172.16.0.0/16
	MountTargetSubnet:
		Type: AWS::EC2::Subnet
		Properties:
		CidrBlock: 172.16.1.0/24
		VpcId: !Ref 'MountTargetVPC'
		AvailabilityZone: us-east-1a
	EFSFileSystem:
		Type: AWS::EFS::FileSystem
		Properties:
		Encrypted: true
		PerformanceMode: generalPurpose
		ThroughputMode: bursting
		FileSystemPolicy:
			Version: '2012-10-17'
			Statement:
			- Sid: deny-root-access
				Effect: Deny
				Principal:
				AWS: '*'
				Action:
				- elasticfilesystem:ClientRootAccess
				Resource: '*'
	EFSMountTarget:
		Type: AWS::EFS::MountTarget
		Properties:
		FileSystemId: !Ref 'EFSFileSystem'
		SubnetId: !Ref 'MountTargetSubnet'
		SecurityGroups:
			- !GetAtt 'MountTargetVPC.DefaultSecurityGroup'
	EFSAccessPoint:
		Type: AWS::EFS::AccessPoint
		Properties:
		FileSystemId: !Ref 'EFSFileSystem'
		PosixUser:
			Uid: '13234'
			Gid: '1322'
			SecondaryGids:
			- '1344'
			- '1452'
		RootDirectory:
			CreationInfo:
			OwnerGid: '708798'
			OwnerUid: '7987987'
			Permissions: '0755'
			Path: /web/production

Using Terraform (AWS Provider)

  1. Terraform configuration file (.tf):

    terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_efs_file_system" "efs-file-system" {
	creation_token = "abcdabcd-abcd-abcd-abcd-abcdabcdabcd"
	performance_mode = "generalPurpose"
	throughput_mode = "bursting"
	encrypted = "true"
}

# Disable Root Access
resource "aws_efs_file_system_policy" "file-system-policy" {
	file_system_id = aws_efs_file_system.efs-file-system.id
	policy = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Sid": "deny-root-access",
				"Effect": "Deny",
				"Principal": {
					"AWS": "*"
				},
				"Action": [
					"elasticfilesystem:ClientRootAccess"
				],
				"Resource": "*"
			}
		]
	}
	POLICY
}

resource "aws_efs_mount_target" "efs-mount-target" {
	file_system_id  = aws_efs_file_system.efs-file-system.id
	subnet_id       = "subnet-0abcd1234abcd1234"
	security_groups = ["sg-01234abcd1234abcd"]
}

resource "aws_efs_access_point" "efs-access-point" {
	file_system_id = aws_efs_file_system.efs-file-system.id
}

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elastic File System (EFS) console at https://console.aws.amazon.com/efs/.

  3. In the main navigation panel, under Elastic File System, choose File systems.

  4. Click on the name/ID (link) of the EFS file system that you want to examine.

  5. Select the File system policy tab and choose Edit to modify the policy associated with your file system.

  6. On the File system policy configuration page, perform one of the following operations:

    1. If the selected file system does not have an access policy attached, select the Prevent root access by default* checkbox from the Policy options section, and choose Save to apply the predefined policy. Once attached, the policy should disable the root access to the selected Amazon EFS resource for all NFS clients that are connecting to the file system.
    2. If the selected file system does have an access policy already defined, remove the "elasticfilesystem:ClientRootAccess" action where the "Effect" element is set to "Allow" or make sure that the "Effect" element is set to "Deny" where the "Action" is set to "elasticfilesystem:ClientRootAccess", as shown in the example below: 
      	{
		"Version": "2012-10-17",
		"Id": "cc-efs-file-system-policy",
		"Statement": [
			...
			{
				"Sid": "cc-system-policy-access",
				"Effect": "Deny",
				"Principal": {
					"AWS": "*"
				},
				"Action": [
					"elasticfilesystem:ClientRootAccess"
				],
				"Resource": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0abcd1234abcd1234"
			}
			...
		]
	}

  7. Choose Save to apply the permission changes.

  8. Repeat steps no. 4 – 7 for each Amazon EFS file system available in the selected AWS region.

  9. Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

  1. Define the file system access policy that should disable the root access for all the NFS clients that are connecting to your EFS file system:

    1. If the specified EFS file system does not have an access policy defined, paste the following policy document to a JSON file named cc-efs-access-policy.json: 
      	{
		"Version": "2012-10-17",
		"Id": "efs-policy-wizard-abcd-1234-abcd",
		"Statement": [
			{
				"Sid": "efs-disable-root-access",
				"Effect": "Allow",
				"Principal": {
					"AWS": "*"
				},
				"Action": [
					"elasticfilesystem:ClientWrite",
					"elasticfilesystem:ClientMount"
				],
				"Condition": {
					"Bool": {
						"elasticfilesystem:AccessedViaMountTarget": "true"
					}
				}
			}
		]
	}
    2. If the specified file system does have an access policy already defined, add the following statement to the "Statement" element within the existing policy and save the entire policy document to a JSON file named cc-efs-access-policy.json. Replace <aws-account-id>, <aws-region> and <file-system-id> placeholders with your own resource details: 
      	{
		"Sid": "efs-disable-root-access",
		"Effect": "Deny",
		"Principal": {
			"AWS": "*"
		},
		"Action": "elasticfilesystem:ClientRootAccess",
		"Resource": "arn:aws:elasticfilesystem:<aws-region>:<aws-account-id>:file-system/<file-system-id>"
	}

  2. Run put-file-system-policy command (OSX/Linux/UNIX) using the ID of the Amazon EFS file system that you want to reconfigure as the identifier parameter to attach the access policy defined at the previous step to the selected file system, in order to deny root access for all the NFS clients that are connecting to the selected file system:

    aws efs put-file-system-policy
  --region us-east-1
  --file-system-id fs-0abcd1234abcd1234
  --policy file://cc-efs-access-policy.json

  3. The command output should return the access policy attached to the selected file system, e.g.:

    {
	"Version": "2012-10-17",
	"Id": "efs-policy-wizard-abcd-1234-abcd",
	"Statement": [
		{
			"Sid": "efs-disable-root-access",
			"Effect": "Allow",
			"Principal": {
				"AWS": "*"
			},
			"Action": [
				"elasticfilesystem:ClientWrite",
				"elasticfilesystem:ClientMount"
			],
			"Condition": {
				"Bool": {
					"elasticfilesystem:AccessedViaMountTarget": "true"
				}
			}
		}
	]
}

  4. Repeat steps no. 1 – 3 for each Amazon EFS file system available in the selected AWS region.

  5. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jan 17, 2024

Related EFS rules