AWS Security ChangesHomeSearch

AWS efs medium security documentation change

Service: efs · 2025-07-18 · Security-related medium

File: efs/latest/ug/security_iam_resource-based-policy-examples.md

Summary

Removed cross-account replication policy example and related content about retaining client access

Security assessment

The removed example policy allowed broad access (AWS: * principal) with ClientRootAccess, which could enable insecure configurations if misapplied. Removing this guidance likely addresses potential over-permission risks in cross-account replication scenarios. The change specifically eliminates a policy that granted root access to any principal accessing via mount target, which could have security implications if improperly implemented.

Diff

diff --git a/efs/latest/ug/security_iam_resource-based-policy-examples.md b/efs/latest/ug/security_iam_resource-based-policy-examples.md
index 619986795..dd481e961 100644
--- a//efs/latest/ug/security_iam_resource-based-policy-examples.md
+++ b//efs/latest/ug/security_iam_resource-based-policy-examples.md
@@ -5 +5 @@
-Example: Grant read and write access to a specific AWS roleExample: Grant read-only accessExample: Ensure connected clients retain access after setting up cross-account replicationExample: Grant access to an EFS access point
+Example: Grant read and write access to a specific AWS roleExample: Grant read-only accessExample: Grant access to an EFS access point
@@ -9 +9 @@ Example: Grant read and write access to a specific AWS roleExample: Grant read-o
-In this section, you can find example file system policies that grant or deny permissions for various Amazon EFS actions. Amazon EFS file system policies have a 20,000 character limit. For information about the elements of a resource-based policy, see [Resource-based policies within Amazon EFS](./security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies).
+In this section, you can find example file system policies that grant or deny permissions for various Amazon EFS actions. EFS file system policies have a 20,000 character limit. For information about the elements of a resource-based policy, see [Resource-based policies within Amazon EFS](./security_iam_service-with-iam.html#security_iam_service-with-iam-resource-based-policies).
@@ -23,2 +22,0 @@ For information about how to create a file system policy, see [Creating file sys
-  * Example: Ensure connected clients retain access after setting up cross-account replication
-
@@ -91,39 +88,0 @@ To learn how to set additional file system policies, including denying root acce
-## Example: Ensure connected clients retain access after setting up cross-account replication
-
-You can use the following resource-based policy to ensure that all clients that are connected to the file system retain access after setting up cross-account replication for the file system. For more information about cross-account replication, see [Replicating EFS file systems across AWS accounts](./cross-account-replication.html)
-
-The following requirements apply when creating the policy. 
-
-  * Use the EFS mount helper to mount the file system. If the file system is mounted using the NFS client, connected clients will get access denied by server errors.
-
-  * Use the -o iam or -o tls option in the mount command to pass your credentials to the EFS mount target.
-
-
-
-    
-    
-    {  
-        "Version": "2012-10-17",
-        "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55",
-        "Statement": [
-            {
-                "Sid": "efs-statement-14a7191c-9401-40e7-a388-6af6cfb7dd9c",
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "*"
-                },
-                "Action": [
-                    "elasticfilesystem:ClientMount",
-                    "elasticfilesystem:ClientWrite",
-                    "elasticfilesystem:ClientRootAccess"
-                ],
-                "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-1234abcd",
-                "Condition": {
-                   "Bool": {
-                       "elasticfilesystem:AccessedViaMountTarget": "true"
-                   }
-               }            
-            }
-        ]
-    }
-