AWS securityhub high security documentation change
Summary
Updated EFS.6 control to check for subnets assigning public IPs on launch, rephrased categories, added explanatory notes, and standardized AWS Config rule link formatting
Security assessment
The EFS.6 control update explicitly addresses security risks by preventing mount targets in subnets that auto-assign public IPs, reducing exposure to unauthorized access. The revised description clarifies that public IP assignment (not just 'public subnet' labeling) is the security risk, and the category change to 'Network security' aligns with security best practices. This directly mitigates potential misconfigurations leading to public exposure of sensitive data.
Diff
diff --git a/securityhub/latest/userguide/efs-controls.md b/securityhub/latest/userguide/efs-controls.md index 7eb5ed48e..bfb7c67fc 100644 --- a//securityhub/latest/userguide/efs-controls.md +++ b//securityhub/latest/userguide/efs-controls.md @@ -5 +5 @@ -[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS[EFS.2] Amazon EFS volumes should be in backup plans[EFS.3] EFS access points should enforce a root directory[EFS.4] EFS access points should enforce a user identity[EFS.5] EFS access points should be tagged[EFS.6] EFS mount targets should not be associated with a public subnet[EFS.7] EFS file systems should have automatic backups enabled[EFS.8] EFS file systems should be encrypted at rest +[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS[EFS.2] Amazon EFS volumes should be in backup plans[EFS.3] EFS access points should enforce a root directory[EFS.4] EFS access points should enforce a user identity[EFS.5] EFS access points should be tagged[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch[EFS.7] EFS file systems should have automatic backups enabled[EFS.8] EFS file systems should be encrypted at rest @@ -9,3 +9 @@ -These Security Hub controls evaluate the Amazon Elastic File System (Amazon EFS) service and resources. - -These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). +These Security Hub controls evaluate the Amazon Elastic File System (Amazon EFS) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). @@ -23 +21 @@ These controls may not be available in all AWS Regions. For more information, se -**AWS Config rule:** [`efs-encrypted-check`](https://docs.aws.amazon.com/config/latest/developerguide/efs-encrypted-check.html) +**AWS Config rule:** [efs-encrypted-check](https://docs.aws.amazon.com/config/latest/developerguide/efs-encrypted-check.html) @@ -56 +54 @@ For details on how to encrypt a new Amazon EFS file system, see [Encrypting data -**AWS Config rule:** [`efs-in-backup-plan`](https://docs.aws.amazon.com/config/latest/developerguide/efs-in-backup-plan.html) +**AWS Config rule:** [efs-in-backup-plan](https://docs.aws.amazon.com/config/latest/developerguide/efs-in-backup-plan.html) @@ -80 +78 @@ To enable automatic backups for an existing Amazon EFS file system, see [Getting -**AWS Config rule:** [`efs-access-point-enforce-root-directory`](https://docs.aws.amazon.com/config/latest/developerguide/efs-access-point-enforce-root-directory.html) +**AWS Config rule:** [efs-access-point-enforce-root-directory](https://docs.aws.amazon.com/config/latest/developerguide/efs-access-point-enforce-root-directory.html) @@ -104 +102 @@ For instructions on how to enforce a root directory for an Amazon EFS access poi -**AWS Config rule:** [`efs-access-point-enforce-user-identity`](https://docs.aws.amazon.com/config/latest/developerguide/efs-access-point-enforce-user-identity.html) +**AWS Config rule:** [efs-access-point-enforce-user-identity](https://docs.aws.amazon.com/config/latest/developerguide/efs-access-point-enforce-user-identity.html) @@ -148 +146 @@ To add tags to an EFS access point, see [Tagging Amazon EFS resources](https://d -## [EFS.6] EFS mount targets should not be associated with a public subnet +## [EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch @@ -150 +148 @@ To add tags to an EFS access point, see [Tagging Amazon EFS resources](https://d -**Category:** Protect > Secure network configuration > Resources not publicly accessible +**Category:** Protect > Network security > Resources not publicly accessible @@ -156 +154 @@ To add tags to an EFS access point, see [Tagging Amazon EFS resources](https://d -**AWS Config rule:** [`efs-mount-target-public-accessible`](https://docs.aws.amazon.com/config/latest/developerguide/efs-mount-target-public-accessible.html) +**AWS Config rule:** [efs-mount-target-public-accessible](https://docs.aws.amazon.com/config/latest/developerguide/efs-mount-target-public-accessible.html) @@ -162 +160,3 @@ To add tags to an EFS access point, see [Tagging Amazon EFS resources](https://d -This control checks whether an Amazon EFS mount target is associated with a private subnet. The control fails if the mount target is associated with a public subnet. +This control checks whether an Amazon EFS mount target is associated with subnets that assign public IP addresses on launch. The control fails if the mount target is associated with subnets that assign public IP addresses on launch. + +All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. Amazon EFS mount targets that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface. @@ -164 +164,3 @@ This control checks whether an Amazon EFS mount target is associated with a priv -By default, an file system is only accessible from the virtual private cloud (VPC) in which you created it. We recommend creating EFS mount targets in private subnets that are not accessible from the internet. This helps ensure that your file system is only accessible to authorized users and isn't vulnerable to unauthorized access or attacks. +###### Note + +On August 13, 2025, Security Hub changed the title and description of this control. The new title and description more precisely reflect the scope and nature of the check that the control performs. Previously, the title of this control was: _EFS mount targets should not be associated with a public subnet_. @@ -168 +170 @@ By default, an file system is only accessible from the virtual private cloud (VP -You can't change the association between an EFS mount target and a subnet after creating the mount target. To associate an existing mount target with a different subnet, you must create a new mount target in a private subnet and then remove the old mount target. For information about managing mount targets, see [Creating and managing mount targets and security groups](https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html) in the _Amazon Elastic File System User Guide_. +To associate an existing mount target with a different subnet, you must create a new mount target in a subnet that does not assign public IP addresses on launch and then remove the old mount target. For information about managing mount targets, see [Creating and managing mount targets and security groups](https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html) in the _Amazon Elastic File System User Guide_. @@ -171,0 +174,2 @@ You can't change the association between an EFS mount target and a subnet after +**Category:** Recover > Resilience > Backups enabled + @@ -176 +180 @@ You can't change the association between an EFS mount target and a subnet after -**AWS Config rule:** [`efs-automatic-backups-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/efs-automatic-backups-enabled.html) +**AWS Config rule:** [efs-automatic-backups-enabled](https://docs.aws.amazon.com/config/latest/developerguide/efs-automatic-backups-enabled.html) @@ -188 +192 @@ A data backup is a copy of your system, configuration, or application data that' -For information about using AWS Backup for EFS file systems, see [Backing up EFS file systems](https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html) in the _Amazon Elastic File System User Guide_ +For information about using AWS Backup for EFS file systems, see [Backing up EFS file systems](https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html) in the _Amazon Elastic File System User Guide_.