AWS efs medium security documentation change
Summary
Updated resource policies with security conditions and permissions
Security assessment
Added security-related policy conditions including TLS enforcement and mount target access restrictions that directly impact access control
Diff
diff --git a/efs/latest/ug/cross-account-replication.md b/efs/latest/ug/cross-account-replication.md index 14009c1d0..08f42c69c 100644 --- a//efs/latest/ug/cross-account-replication.md +++ b//efs/latest/ug/cross-account-replication.md @@ -88,0 +89,2 @@ To share file systems cross-account in Amazon EFS, you must assign policies to b +In addition to granting or restricting access across accounts, the policies need to grant other permissions required for clients to work with the file systems, such as `elasticfilesystem:ClientMount`. Otherwise, the file system might be inaccessible to clients. + @@ -91 +93 @@ To share file systems cross-account in Amazon EFS, you must assign policies to b -In addition to granting or restricting access across accounts, the policies need to grant other permissions required for clients to work with the file systems, such as `elasticfilesystem:ClientMount`. Otherwise, the file system might be inaccessible to clients. For examples of policies, see [Resource-based policy examples for Amazon EFS](./security_iam_resource-based-policy-examples.html). +You cannot restrict access to resources over TLS connection. If you include the `"aws:SecureTransport": "false"` condition in your statement, the NFS client connection will fail. @@ -102 +104 @@ To allow the source account permission to replicate to the destination file syst - "Sid": "Permissions for source account calls", + "Sid": "AllowSourceAccountReplicationActions", @@ -114,0 +117,11 @@ To allow the source account permission to replicate to the destination file syst + }, + { + "Sid": "AllowReadOnlyClientAccess", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly" + }, + "Action": [ + "elasticfilesystem:ClientMount" + ], + "Resource": "DESTINATION_FILE_SYSTEM_ARN" @@ -126 +139 @@ To allow the destination account permission to delete the replication configurat - "Id": "efs-policy", + "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55", @@ -129 +142 @@ To allow the destination account permission to delete the replication configurat - "Sid": "Permission to delete the replication by the destination account", + "Sid": "AllowDestinationAccountToDeleteReplication", @@ -135,0 +149,18 @@ To allow the destination account permission to delete the replication configurat + }, + { + "Sid": "AllowClientAccess", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly" + }, + "Action": [ + "elasticfilesystem:ClientMount", + "elasticfilesystem:ClientWrite", + "elasticfilesystem:ClientRootAccess" + ], + "Resource": "SOURCE_FILE_SYSTEM_ARN", + "Condition": { + "Bool": { + "elasticfilesystem:AccessedViaMountTarget": "true" + } + }