AWS efs documentation change
Summary
Updated instructions for configuring security groups between EC2 instances and EFS mount targets, including restructuring steps, clarifying default security group usage, and updating references to VPC documentation.
Security assessment
The changes provide clearer guidance on security group configuration (a security feature) by restructuring steps, emphasizing proper inbound/outbound rules, and linking to updated VPC documentation. While this helps prevent misconfigurations that could lead to unauthorized access, there is no evidence of addressing a specific disclosed vulnerability.
Diff
diff --git a/efs/latest/ug/accessing-fs-create-security-groups.md b/efs/latest/ug/accessing-fs-create-security-groups.md index 83abe63eb..f061ca4e6 100644 --- a//efs/latest/ug/accessing-fs-create-security-groups.md +++ b//efs/latest/ug/accessing-fs-create-security-groups.md @@ -7 +7 @@ -Both an Amazon EC2 instance and a mount target have associated security groups. These security groups act as a virtual firewall that controls the traffic between them. If you don't provide a security group when creating a mount target, Amazon EFS associates the default security group of the VPC with it. +Both an Amazon EC2 instance and a mount target have associated security groups. These security groups act as a virtual firewall that controls the traffic between them. For more information about mount targets, see [Managing mount targets](./accessing-fs.html). If you don't provide a security group when creating a mount target, Amazon EFS uses the VPC's default security. @@ -9 +9 @@ Both an Amazon EC2 instance and a mount target have associated security groups. -Regardless, to enable traffic between an EC2 instance and a mount target (and thus the file system), you must configure the following rules in these security groups: +To enable traffic between an EC2 instance and a mount target (and thus the file system), you need to configure the following rules for the security groups: @@ -18,3 +18 @@ Regardless, to enable traffic between an EC2 instance and a mount target (and th -To change the security groups associated with your EFS file systems mount targets, see [Managing mount targets](./accessing-fs.html). - -For more information about security groups, see [Amazon EC2 security groups for Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) in the _Amazon EC2 User Guide_. +For more information about security groups, see [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) in the _Amazon VPC User Guide_. @@ -26 +24 @@ The following section is specific to Amazon EC2 and discusses how to create secu -You can use the AWS Management Console to create security groups in your VPC. To connect your Amazon EFS file system to your Amazon EC2 instance, you must create two security groups: one for your Amazon EC2 instance and another for your Amazon EFS mount target. +You can use the Amazon VPC Console to create security groups in your VPC. To connect your Amazon EFS file system to your Amazon EC2 instance, you must create two security groups: one for your Amazon EC2 instance and another for your Amazon EFS mount target. @@ -30,5 +28 @@ You can use the AWS Management Console to create security groups in your VPC. To - 2. In the VPC console, verify the default rules for these security groups. Both security groups should have only an outbound rule that allows traffic to leave. - - 3. You must authorize additional access to the security groups as follows: - - 1. Add a rule to the EC2 security group to allow SSH access to the instance on port 22 as shown following. This is useful if you're planning on using an SSH client like PuTTY to connect to and administer your EC2 instance through a terminal interface. Optionally, you can restrict the **Source** address. + 2. In the VPC console, verify the default rules for these security groups, and make sure that each security group has an outbound rule that allows traffic to leave. @@ -36 +30 @@ You can use the AWS Management Console to create security groups in your VPC. To -For instructions, see [Add rules to a security group](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#adding-security-group-rules) in the _Amazon VPC User Guide_. + 3. You must authorize additional access to the security groups as follows. For instructions, see [Configure security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#adding-security-group-rules) in the _Amazon VPC User Guide_. @@ -38 +32 @@ For instructions, see [Add rules to a security group](https://docs.aws.amazon.co - 2. Add a rule to the mount target security group to allow inbound access from the EC2 security group on TCP port 2049. The security group assigned as the **Source** is the security group associated with the EC2 instance. + 1. For the EC2 security group, add a rule that allows SSH access to the instance on port 22. This is useful if you're planning on using an SSH client like PuTTY to connect to and administer your EC2 instance through a terminal interface. Optionally, you can restrict the **Source** address. @@ -40 +34 @@ For instructions, see [Add rules to a security group](https://docs.aws.amazon.co -To view the security groups associated with your file systems mount targets, in the EFS console, choose the **Network** tab in the File system details page. For more information, see [Managing mount targets](./accessing-fs.html). + 2. For the mount target security group, add a rule that allows inbound access from the EC2 security group on TCP port 2049. Assign the EC2 security group as the **Source**. @@ -46 +40 @@ You don't need to add an outbound rule because the default outbound rule allows - 4. Verify that both security groups now authorize inbound and outbound access as described in this section. + 4. Assign the EC2 security group to the EC2 instance when you launch it. Assign the EFS security group to the mount target when you create the EFS file system.