AWS Security ChangesHomeSearch

AWS efs medium security documentation change

Service: efs · 2025-07-18 · Security-related medium

File: efs/latest/ug/cross-account-replication.md

Summary

Updated resource policies with security conditions and permissions

Security assessment

Added security-related policy conditions including TLS enforcement and mount target access restrictions that directly impact access control

Diff

diff --git a/efs/latest/ug/cross-account-replication.md b/efs/latest/ug/cross-account-replication.md
index 14009c1d0..08f42c69c 100644
--- a//efs/latest/ug/cross-account-replication.md
+++ b//efs/latest/ug/cross-account-replication.md
@@ -88,0 +89,2 @@ To share file systems cross-account in Amazon EFS, you must assign policies to b
+In addition to granting or restricting access across accounts, the policies need to grant other permissions required for clients to work with the file systems, such as `elasticfilesystem:ClientMount`. Otherwise, the file system might be inaccessible to clients. 
+
@@ -91 +93 @@ To share file systems cross-account in Amazon EFS, you must assign policies to b
-In addition to granting or restricting access across accounts, the policies need to grant other permissions required for clients to work with the file systems, such as `elasticfilesystem:ClientMount`. Otherwise, the file system might be inaccessible to clients. For examples of policies, see [Resource-based policy examples for Amazon EFS](./security_iam_resource-based-policy-examples.html).
+You cannot restrict access to resources over TLS connection. If you include the `"aws:SecureTransport": "false"` condition in your statement, the NFS client connection will fail.
@@ -102 +104 @@ To allow the source account permission to replicate to the destination file syst
-            "Sid": "Permissions for source account calls", 
+            "Sid": "AllowSourceAccountReplicationActions", 
@@ -114,0 +117,11 @@ To allow the source account permission to replicate to the destination file syst
+         },
+         {
+            "Sid": "AllowReadOnlyClientAccess",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly"
+            },
+            "Action": [
+                "elasticfilesystem:ClientMount"
+            ],
+            "Resource": "DESTINATION_FILE_SYSTEM_ARN"            
@@ -126 +139 @@ To allow the destination account permission to delete the replication configurat
-        "Id": "efs-policy",
+        "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55",
@@ -129 +142 @@ To allow the destination account permission to delete the replication configurat
-                "Sid": "Permission to delete the replication by the destination account",
+                "Sid": "AllowDestinationAccountToDeleteReplication",
@@ -135,0 +149,18 @@ To allow the destination account permission to delete the replication configurat
+            },
+            {
+                "Sid": "AllowClientAccess",
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly"
+                },
+                "Action": [
+                    "elasticfilesystem:ClientMount",
+                    "elasticfilesystem:ClientWrite",
+                    "elasticfilesystem:ClientRootAccess"
+                ],
+                "Resource": "SOURCE_FILE_SYSTEM_ARN",
+                "Condition": {
+                   "Bool": {
+                       "elasticfilesystem:AccessedViaMountTarget": "true"
+                   }
+               }