AWS efs medium security documentation change
Summary
Removed cross-account replication policy example and related content about retaining client access
Security assessment
The removed example policy allowed broad access (AWS: * principal) with ClientRootAccess, which could enable insecure configurations if misapplied. Removing this guidance likely addresses potential over-permission risks in cross-account replication scenarios. The change specifically eliminates a policy that granted root access to any principal accessing via mount target, which could have security implications if improperly implemented.
Diff
diff --git a/efs/latest/ug/security_iam_resource-based-policy-examples.md b/efs/latest/ug/security_iam_resource-based-policy-examples.md index 619986795..dd481e961 100644 --- a//efs/latest/ug/security_iam_resource-based-policy-examples.md +++ b//efs/latest/ug/security_iam_resource-based-policy-examples.md @@ -5 +5 @@ -Example: Grant read and write access to a specific AWS roleExample: Grant read-only accessExample: Ensure connected clients retain access after setting up cross-account replicationExample: Grant access to an EFS access point +Example: Grant read and write access to a specific AWS roleExample: Grant read-only accessExample: Grant access to an EFS access point @@ -9 +9 @@ Example: Grant read and write access to a specific AWS roleExample: Grant read-o -In this section, you can find example file system policies that grant or deny permissions for various Amazon EFS actions. Amazon EFS file system policies have a 20,000 character limit. For information about the elements of a resource-based policy, see [Resource-based policies within Amazon EFS](./security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies). +In this section, you can find example file system policies that grant or deny permissions for various Amazon EFS actions. EFS file system policies have a 20,000 character limit. For information about the elements of a resource-based policy, see [Resource-based policies within Amazon EFS](./security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies). @@ -23,2 +22,0 @@ For information about how to create a file system policy, see [Creating file sys - * Example: Ensure connected clients retain access after setting up cross-account replication - @@ -91,39 +88,0 @@ To learn how to set additional file system policies, including denying root acce -## Example: Ensure connected clients retain access after setting up cross-account replication - -You can use the following resource-based policy to ensure that all clients that are connected to the file system retain access after setting up cross-account replication for the file system. For more information about cross-account replication, see [Replicating EFS file systems across AWS accounts](./cross-account-replication.html) - -The following requirements apply when creating the policy. - - * Use the EFS mount helper to mount the file system. If the file system is mounted using the NFS client, connected clients will get access denied by server errors. - - * Use the -o iam or -o tls option in the mount command to pass your credentials to the EFS mount target. - - - - - - { - "Version": "2012-10-17", - "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55", - "Statement": [ - { - "Sid": "efs-statement-14a7191c-9401-40e7-a388-6af6cfb7dd9c", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": [ - "elasticfilesystem:ClientMount", - "elasticfilesystem:ClientWrite", - "elasticfilesystem:ClientRootAccess" - ], - "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd", - "Condition": { - "Bool": { - "elasticfilesystem:AccessedViaMountTarget": "true" - } - } - } - ] - } -