EFS Access Point Should Enforce Root Directory
More Info:
Checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity. The rule is NON_COMPLIANT if ‘PosixUser’ is not defined or if parameters are provided and there is no match in the corresponding parameter.
Risk Level
Medium
Address
Security
Compliance Standards
CBP,RBI_MD_ITF
Remediation
Using Console
To remediate the misconfiguration of EFS Access Point not enforcing the root directory for AWS Kubernetes using the AWS console, you can follow these steps:
-
Access AWS Management Console: Navigate to the AWS Management Console at https://aws.amazon.com and log in to your account.
-
Go to Amazon EFS Service: Click on the “Services” dropdown menu at the top of the page, search for “EFS” and click on “Amazon EFS” to open the Amazon Elastic File System dashboard.
-
Select the EFS File System: From the list of available EFS file systems, select the EFS file system that is associated with your EFS Access Point that needs to enforce the root directory.
-
Navigate to Access Points: In the EFS file system details page, click on the “Access points” tab in the left-hand menu to view the list of access points associated with the selected EFS file system.
-
Select the Access Point: Identify and select the Access Point that needs to enforce the root directory by clicking on its name.
-
Edit Access Point Policy: In the Access Point details page, click on the “Edit” button next to the “Policy” section to modify the access point policy.
-
Update the Policy: In the policy editor, update the policy document to include the following statement to enforce the root directory:
"RootDirectory": "/" -
Save Changes: After adding the “RootDirectory” statement to the policy document, click on the “Save changes” button to apply the updated policy to the EFS Access Point.
-
Verify Changes: Verify that the policy update has been successfully applied by checking the Access Point details and ensuring that the root directory is enforced.
By following these steps, you can remediate the misconfiguration of EFS Access Point not enforcing the root directory for AWS Kubernetes using the AWS console.
Using CLI
To remediate the misconfiguration of EFS Access Point not enforcing the root directory in AWS Kubernetes using AWS CLI, you can follow these steps:
-
List EFS Access Points: First, you need to list all the existing EFS Access Points to identify the one that needs to enforce the root directory. You can use the following AWS CLI command to list all the EFS Access Points:
aws efs describe-access-points -
Get Access Point ID: Identify the Access Point ID of the EFS Access Point that needs to enforce the root directory.
-
Update Access Point Policy: Use the following AWS CLI command to update the policy of the EFS Access Point to enforce the root directory:
aws efs update-access-point --access-point-id <ACCESS_POINT_ID> --posix-user "Uid=0,Gid=0" --posix-permissions "mode=755"Replace
<ACCESS_POINT_ID>with the actual Access Point ID identified in step 2. This command enforces the root directory by setting the POSIX user ID and group ID to 0 (root) and setting the permissions to 755 for the root directory. -
Verify Configuration: Finally, verify that the EFS Access Point now enforces the root directory by checking the Access Point configuration:
aws efs describe-access-points --access-point-id <ACCESS_POINT_ID>
Ensure to replace <ACCESS_POINT_ID> with the actual Access Point ID. This command will display the details of the specified EFS Access Point, including the updated policy that enforces the root directory.
By following these steps, you can remediate the misconfiguration of EFS Access Point not enforcing the root directory in AWS Kubernetes using AWS CLI.
Using Python
To remediate the misconfiguration of EFS Access Point not enforcing root directory in AWS Kubernetes using Python, you can follow these steps:
-
Install necessary Python libraries: Ensure that you have the AWS SDK for Python (Boto3) installed in your environment. You can install it using pip:
pip install boto3 -
Update EFS Access Point Policy: You need to update the EFS Access Point policy to enforce the root directory. You can do this by creating a new policy document that restricts access to the root directory and then updating the existing EFS Access Point with this new policy.
Here is an example Python script that achieves this:
import boto3 # Initialize the EFS client efs_client = boto3.client('efs') # Specify the Access Point ID and the new policy document access_point_id = 'your_access_point_id' policy_document = { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "*", "Resource": "arn:aws:elasticfilesystem:your_region:your_account_id:access-point/your_access_point_id/*" }, { "Effect": "Allow", "Principal": "*", "Action": "elasticfilesystem:ClientMount", "Resource": "arn:aws:elasticfilesystem:your_region:your_account_id:file-system/your_file_system_id", "Condition": { "StringEquals": { "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:your_region:your_account_id:access-point/your_access_point_id" } } } ] } # Update the Access Point policy response = efs_client.update_access_point( AccessPointId=access_point_id, PosixUser={ 'Uid': 1000, 'Gid': 1000 }, RootDirectory={ 'Path': '/' }, Tags=[ { 'Key': 'Name', 'Value': 'UpdatedAccessPoint' }, ], Policy=policy_document ) print("EFS Access Point policy updated successfully.")Make sure to replace
your_access_point_id,your_region,your_account_id, andyour_file_system_idwith the appropriate values for your AWS account. -
Run the Python script: Save the above Python script in a file, for example,
update_efs_access_point.py, and run it using the Python interpreter:python update_efs_access_point.py -
Verify the configuration: After running the script, verify that the EFS Access Point policy has been updated successfully to enforce the root directory.
By following these steps, you can remediate the misconfiguration of EFS Access Point not enforcing the root directory in AWS Kubernetes using Python.