AWS efs high security documentation change
Summary
Restructured documentation with new sections about source ports and security considerations. Added specific iptables command to restrict NFS access to privileged users. Expanded guidance on security group configuration for EC2 instances and mount targets.
Security assessment
Added concrete security control (iptables command) to prevent unprivileged processes from accessing NFS port 2049. Detailed security considerations section explains network isolation requirements and strict security group rules, directly addressing access control measures.
Diff
diff --git a/efs/latest/ug/network-access.md b/efs/latest/ug/network-access.md index f115af623..3463da881 100644 --- a//efs/latest/ug/network-access.md +++ b//efs/latest/ug/network-access.md @@ -5 +5 @@ -# Using VPC security groups for Amazon EC2 instances and mount targets +Source portsSecurity considerations for network accessCreating security groups @@ -7 +7 @@ -When using Amazon EFS, you specify Amazon EC2 security groups for your EC2 instances and security groups for the EFS mount targets associated with the file system. A security group acts as a firewall, and the rules that you add define the traffic flow. In the Getting Started exercise, you created one security group when you launched the EC2 instance. You then associated another with the EFS mount target (that is, the default security group for your default VPC). That approach works for the Getting Started exercise. However, for a production system, you should set up security groups with minimal permissions for use with EFS. +# Using VPC security groups @@ -9 +9 @@ When using Amazon EFS, you specify Amazon EC2 security groups for your EC2 insta -You can authorize inbound and outbound access to your EFS file system. To do so, you add rules that allow your EC2 instance to connect to your Amazon EFS file system through the mount target using the Network File System (NFS) port. Take the following steps to create and update your security groups. +When using Amazon EFS, you specify VPC security groups for your EC2 instances and security groups for the EFS mount targets associated with the file system. A security group acts as a firewall, and the rules that you add define the traffic flow. In the [Getting started exercise](./getting-started.html), you created one security group when you launched the EFS instance. You then associated another with the EFS mount target (that is, the default security group for your default VPC). That approach works for the Getting started exercise. However, for a production system, you should set up security groups with minimal permissions for use with Amazon EFS. @@ -11 +11 @@ You can authorize inbound and outbound access to your EFS file system. To do so, -###### To create security groups for EC2 instances and mount targets +You can authorize inbound and outbound access to your EFS file system. To do so, you add rules that allow EFS instances to connect to your EFS file system through the mount target using the Network File System (NFS) port. @@ -13 +13 @@ You can authorize inbound and outbound access to your EFS file system. To do so, - 1. Create two security groups in your VPC. + * Each EC2 instance that mounts the file system must have a security group with a rule that allows outbound access to the mount target on the NFS port. @@ -15 +15 @@ You can authorize inbound and outbound access to your EFS file system. To do so, -For instructions, see the procedure "To create a security group" in [Creating a Security Group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#CreatingSecurityGroups) in the _Amazon VPC User Guide_. + * The EFS mount target needs to have a security group with a rule that allows inbound access from each EC2 instance on which you want to mount the file system. @@ -17 +16,0 @@ For instructions, see the procedure "To create a security group" in [Creating a - 2. Open the Amazon VPC Management Console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/), and verify the default rules for these security groups. Both security groups should have only an outbound rule that allows traffic to leave. @@ -20,0 +20 @@ For instructions, see the procedure "To create a security group" in [Creating a +## Source ports for working with Amazon EFS @@ -22 +22 @@ For instructions, see the procedure "To create a security group" in [Creating a -###### To update the necessary access for your security groups +To support a broad set of NFS clients, Amazon EFS allows connections from any source port. If you require that only privileged users can access Amazon EFS, we recommend using the following client firewall rule. Connect to your file system using SSH and run the following command: @@ -24 +23,0 @@ For instructions, see the procedure "To create a security group" in [Creating a - 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). @@ -26 +25 @@ For instructions, see the procedure "To create a security group" in [Creating a - 2. Add a rule for your EC2 security group to allow inbound access using Secure Shell (SSH) from any host. Optionally, restrict the **Source** address. + iptables -I OUTPUT 1 -m owner --uid-owner 1-4294967294 -m tcp -p tcp --dport 2049 -j DROP @@ -28 +27 @@ For instructions, see the procedure "To create a security group" in [Creating a -You don't need to add an outbound rule because the default outbound rule allows all traffic to leave. If this were not the case, you'd need to add an outbound rule to open the TCP connection on the NFS port, identifying the mount target security group as the destination. +This command inserts a new rule at the start of the OUTPUT chain (`-I OUTPUT 1`). The rule prevents any unprivileged, nonkernel process (`-m owner --uid-owner 1-4294967294`) from opening a connection to the NFS port (`-m tcp -p tcp –dport 2049`). @@ -30 +29 @@ You don't need to add an outbound rule because the default outbound rule allows -For instructions, see [Adding and Removing Rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules) in the _Amazon VPC User Guide_. +## Security considerations for network access @@ -32 +31 @@ For instructions, see [Adding and Removing Rules](https://docs.aws.amazon.com/vp - 3. Add inbound and outbound rules for the mount target. +An NFS version 4.1 (NFSv4.1) client can only mount a file system if it can make a network connection to the NFS port (TCP port 2049) of one of the file system's mount targets. Similarly, an NFSv4.1 client can only assert a user and group ID when accessing a file system if it can make this network connection. @@ -34 +33 @@ For instructions, see [Adding and Removing Rules](https://docs.aws.amazon.com/vp - * Add an inbound rule for the mount target security group to allow inbound access from the EC2 security group. Identify the EC2 security group as the source. +Whether you can make this network connection is governed by a combination of the following: @@ -36 +35 @@ For instructions, see [Adding and Removing Rules](https://docs.aws.amazon.com/vp - * Add an outbound rule to open the TCP connection on all of the NFS ports. Identify the EC2 security group as the destination. + * **Network isolation provided by the mount targets' VPC** – File system mount targets can't have public IP addresses associated with them. The only targets that can mount file systems are the following: @@ -38 +37 @@ For instructions, see [Adding and Removing Rules](https://docs.aws.amazon.com/vp -For instructions, see [Adding and Removing Rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules) in the _Amazon VPC User Guide_. + * Amazon EC2 instances in the local Amazon VPC @@ -40 +39 @@ For instructions, see [Adding and Removing Rules](https://docs.aws.amazon.com/vp - 4. Verify that both security groups now authorize inbound and outbound access. + * EC2 instances in connected VPCs @@ -41,0 +41,32 @@ For instructions, see [Adding and Removing Rules](https://docs.aws.amazon.com/vp + * On-premises servers connected to an Amazon VPC by using AWS Direct Connect and an AWS Virtual Private Network (VPN) + + * **Network access control lists (ACLs) for the VPC subnets of the client and mount targets, for access from outside the mount target's subnets** – To mount a file system, the client must be able to make a TCP connection to the NFS port of a mount target and receive return traffic. + + * **Rules of the client's and mount targets' VPC security groups, for all access** – For an EC2 instance to mount a file system, the following security group rules must be in effect: + + * The file system must have a mount target whose network interface has a security group with a rule that enables inbound connections on the NFS port from the instance. You can enable inbound connections either by IP address (CIDR range) or security group. The source of the security group rules for the inbound NFS port on mount target network interfaces is a key element of file system access control. Inbound rules other than the one for the NFS port, and any outbound rules, aren't used by network interfaces for file system mount targets. + + * The mounting instance must have a network interface with a security group rule that enables outbound connections to the NFS port on one of the file system's mount targets. You can enable outbound connections either by IP address (CIDR range) or security group. + + + + +For more information, see [Managing mount targets](./accessing-fs.html). + +## Creating security groups + +###### To create security groups for EC2 instances and EFS mount targets + +The following are the general steps that you'll perform when creating the security groups for Amazon EFS. For instructions on creating the security groups, see [Create a security group](https://docs.aws.amazon.com/vpc/latest/userguide/creating-security-groups.html) in the _Amazon VPC User Guide_. + + 1. For your EC2 instances, create a security group with the following rules: + + * An inbound rule that allows inbound access that allows using Secure Shell (SSH) from any host. Optionally, restrict the **Source** address. + + * An outbound rule that allows all traffic to leave. When you create a security group, it is created with an outbound rule by default so you shouldn't need to add one. + + 2. For your EFS mount target, create a security group with the following rules: + + * An inbound rule that allows access from the EC2 security group. Identify the EC2 security group as the source. + + * An outbound rule to open the TCP connection on all of the NFS ports. Identify the EC2 security group as the destination. @@ -45 +75,0 @@ For instructions, see [Adding and Removing Rules](https://docs.aws.amazon.com/vp -For more information about security groups, see [Amazon EC2 security groups for Linux instances ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#vpc-security-groups). @@ -55 +85 @@ Controlling network access -Source ports +Working with VPC endpoints