AWS AmazonECS documentation change
Summary
Updated EFS permissions guidance - clarified default access and IAM authorization requirements
Security assessment
Clarifies security configuration for EFS access, emphasizing IAM authorization requirements. Improves documentation about secure access controls but doesn't fix a specific vulnerability.
Diff
diff --git a/AmazonECS/latest/developerguide/tutorial-efs-volumes.md b/AmazonECS/latest/developerguide/tutorial-efs-volumes.md index 8743fa090..6f9e6af36 100644 --- a//AmazonECS/latest/developerguide/tutorial-efs-volumes.md +++ b//AmazonECS/latest/developerguide/tutorial-efs-volumes.md @@ -241 +241 @@ The following task definition creates a data volume named `efs-html`. The `nginx -You can add the following permissions to your Amazon ECS task execution IAM role to allow the Amazon ECS agent to locate and mount an Amazon EFS file system to a task at startup. +The Amazon ECS task execution IAM role does not require any specific Amazon EFS-related permissions to mount an Amazon EFS file system. By default, if no Amazon EFS resource-based policy exists, access is granted to all principals (*) at file system creation. @@ -243,7 +243 @@ You can add the following permissions to your Amazon ECS task execution IAM role - * `elasticfilesystem:ClientMount` - - * `elasticfilesystem:ClientWrite` - - * `elasticfilesystem:DescribeMountTargets` - - * `elasticfilesystem:DescribeFileSystems` +The Amazon ECS task role is only required if "EFS IAM authorization" is enabled in the Amazon ECS task definition. When enabled, the task role identity must be allowed access to the Amazon EFS file system in the Amazon EFS resource-based policy, and anonymous access should be disabled.