AWS efs high security documentation change
Summary
Added explicit NFS port 2049 references, clarified security group rules with port specifications, added security group configuration table, and tightened SSH access recommendations
Security assessment
The changes explicitly specify NFS port 2049 in security group rules (previously generic 'NFS port'), add a security group configuration table with strict port-based rules, restrict SSH inbound access to specific IPs/port 22, and narrow outbound rules to only required NFS port 2049. These changes reduce attack surface by enforcing least-privilege network access.
Diff
diff --git a/efs/latest/ug/network-access.md b/efs/latest/ug/network-access.md index 3463da881..6f553f301 100644 --- a//efs/latest/ug/network-access.md +++ b//efs/latest/ug/network-access.md @@ -13 +13 @@ You can authorize inbound and outbound access to your EFS file system. To do so, - * Each EC2 instance that mounts the file system must have a security group with a rule that allows outbound access to the mount target on the NFS port. + * Each EC2 instance that mounts the file system must have a security group with a rule that allows outbound access to the mount target on **NFS port 2049**. @@ -15 +15 @@ You can authorize inbound and outbound access to your EFS file system. To do so, - * The EFS mount target needs to have a security group with a rule that allows inbound access from each EC2 instance on which you want to mount the file system. + * The EFS mount target needs to have a security group with a rule that allows inbound access on NFS port 2049 from each EC2 instance on which you want to mount the file system. @@ -19,0 +20,7 @@ You can authorize inbound and outbound access to your EFS file system. To do so, +The following table shows the specific security group rules required: + +Security Group | Rule Type | Protocol | Port | Source/Destination +---|---|---|---|--- +EC2 Instance | Outbound | TCP | 2049 | Mount target security group +Mount Target | Inbound | TCP | 2049 | EC2 instance security group + @@ -27 +34 @@ To support a broad set of NFS clients, Amazon EFS allows connections from any so -This command inserts a new rule at the start of the OUTPUT chain (`-I OUTPUT 1`). The rule prevents any unprivileged, nonkernel process (`-m owner --uid-owner 1-4294967294`) from opening a connection to the NFS port (`-m tcp -p tcp –dport 2049`). +This command inserts a new rule at the start of the OUTPUT chain (`-I OUTPUT 1`). The rule prevents any unprivileged, nonkernel process (`-m owner --uid-owner 1-4294967294`) from opening a connection to NFS port 2049 (`-m tcp -p tcp –dport 2049`). @@ -43 +50 @@ Whether you can make this network connection is governed by a combination of the - * **Network access control lists (ACLs) for the VPC subnets of the client and mount targets, for access from outside the mount target's subnets** – To mount a file system, the client must be able to make a TCP connection to the NFS port of a mount target and receive return traffic. + * **Network access control lists (ACLs) for the VPC subnets of the client and mount targets, for access from outside the mount target's subnets** – To mount a file system, the client must be able to make a TCP connection to NFS port 2049 of a mount target and receive return traffic. @@ -47 +54 @@ Whether you can make this network connection is governed by a combination of the - * The file system must have a mount target whose network interface has a security group with a rule that enables inbound connections on the NFS port from the instance. You can enable inbound connections either by IP address (CIDR range) or security group. The source of the security group rules for the inbound NFS port on mount target network interfaces is a key element of file system access control. Inbound rules other than the one for the NFS port, and any outbound rules, aren't used by network interfaces for file system mount targets. + * The file system must have a mount target whose network interface has a security group with a rule that enables inbound connections on NFS port 2049 from the instance. You can enable inbound connections either by IP address (CIDR range) or security group. The source of the security group rules for the inbound NFS port on mount target network interfaces is a key element of file system access control. Inbound rules other than the one for NFS port 2049, and any outbound rules, aren't used by network interfaces for file system mount targets. @@ -49 +56 @@ Whether you can make this network connection is governed by a combination of the - * The mounting instance must have a network interface with a security group rule that enables outbound connections to the NFS port on one of the file system's mount targets. You can enable outbound connections either by IP address (CIDR range) or security group. + * The mounting instance must have a network interface with a security group rule that enables outbound connections to NFS port 2049 on one of the file system's mount targets. You can enable outbound connections either by IP address (CIDR range) or security group. @@ -64 +71 @@ The following are the general steps that you'll perform when creating the securi - * An inbound rule that allows inbound access that allows using Secure Shell (SSH) from any host. Optionally, restrict the **Source** address. + * An inbound rule that allows inbound access using Secure Shell (SSH) on **port 22** from your IP address or network. Optionally, restrict the **Source** address for security. @@ -66 +73 @@ The following are the general steps that you'll perform when creating the securi - * An outbound rule that allows all traffic to leave. When you create a security group, it is created with an outbound rule by default so you shouldn't need to add one. + * An outbound rule that allows outbound access on NFS port 2049 to the mount target security group. Identify the mount target security group as the destination. @@ -70 +77,3 @@ The following are the general steps that you'll perform when creating the securi - * An inbound rule that allows access from the EC2 security group. Identify the EC2 security group as the source. + * An inbound rule that allows access on NFS port 2049 from the EC2 security group. Identify the EC2 security group as the source. + +###### Note @@ -72 +81 @@ The following are the general steps that you'll perform when creating the securi - * An outbound rule to open the TCP connection on all of the NFS ports. Identify the EC2 security group as the destination. +You don't need to add an outbound rule because the default outbound rule allows all outbound traffic.