AWS Security ChangesHomeSearch

AWS AmazonECS documentation change

Service: AmazonECS · 2025-08-10 · Documentation medium

File: AmazonECS/latest/developerguide/tutorial-efs-volumes.md

Summary

Updated EFS permissions guidance - clarified default access and IAM authorization requirements

Security assessment

Clarifies security configuration for EFS access, emphasizing IAM authorization requirements. Improves documentation about secure access controls but doesn't fix a specific vulnerability.

Diff

diff --git a/AmazonECS/latest/developerguide/tutorial-efs-volumes.md b/AmazonECS/latest/developerguide/tutorial-efs-volumes.md
index 8743fa090..6f9e6af36 100644
--- a//AmazonECS/latest/developerguide/tutorial-efs-volumes.md
+++ b//AmazonECS/latest/developerguide/tutorial-efs-volumes.md
@@ -241 +241 @@ The following task definition creates a data volume named `efs-html`. The `nginx
-You can add the following permissions to your Amazon ECS task execution IAM role to allow the Amazon ECS agent to locate and mount an Amazon EFS file system to a task at startup.
+The Amazon ECS task execution IAM role does not require any specific Amazon EFS-related permissions to mount an Amazon EFS file system. By default, if no Amazon EFS resource-based policy exists, access is granted to all principals (*) at file system creation.
@@ -243,7 +243 @@ You can add the following permissions to your Amazon ECS task execution IAM role
-     * `elasticfilesystem:ClientMount`
-
-     * `elasticfilesystem:ClientWrite`
-
-     * `elasticfilesystem:DescribeMountTargets`
-
-     * `elasticfilesystem:DescribeFileSystems`
+The Amazon ECS task role is only required if "EFS IAM authorization" is enabled in the Amazon ECS task definition. When enabled, the task role identity must be allowed access to the Amazon EFS file system in the Amazon EFS resource-based policy, and anonymous access should be disabled.