EFS Access Points User Identity Should Be Enforced
More Info:
This rule checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity. It is marked as non-compliant if ‘PosixUser’ is not defined or if parameters are provided and there is no match in the corresponding parameter.Risk Level
HighAddress
SecurityCompliance Standards
CBP,RBI_MD_ITFTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of EFS Access Points User Identity not being enforced in AWS Kubernetes using the AWS console, you can follow these step-by-step instructions:
- Login to AWS Console: Go to the AWS Management Console and login with your credentials.
- Navigate to Amazon EFS service: Click on “Services” in the top menu bar, search for “EFS” in the search bar, and click on “Amazon EFS” to open the EFS dashboard.
- Select the EFS File System: From the list of available EFS file systems, select the EFS file system for which you want to enforce user identity for access points.
- Create Access Points: If you haven’t already created an access point for the EFS file system, you will need to create one. Click on the “Access points” tab in the EFS dashboard, then click on the “Create access point” button.
- Configure Access Point: Fill in the necessary details for the access point, such as the name, root directory path, owner UID, owner GID, and POSIX permissions. Ensure that you specify the correct owner UID and owner GID to enforce user identity.
- Enable User Identity Enforcement: In the access point configuration, make sure to select the option to “Enforce user identity” to ensure that the user identity is enforced for the access point.
- Save Changes: Once you have configured the access point with the necessary details and enabled user identity enforcement, click on the “Create access point” button to save the changes.
- Update Kubernetes Configurations: Update your Kubernetes configurations to use the newly created EFS access point with user identity enforcement enabled. You may need to update your PersistentVolumeClaims (PVCs) and PersistentVolumes (PVs) to use the access point.
Using CLI
Using CLI
To remediate the misconfiguration of EFS Access Points User Identity not being enforced in AWS Kubernetes using AWS CLI, follow these steps:
-
Identify the EFS Access Points that need to enforce User Identity:
- List all the EFS Access Points in your AWS account using the following AWS CLI command:
- List all the EFS Access Points in your AWS account using the following AWS CLI command:
-
Update the EFS Access Points to enforce User Identity:
- For each EFS Access Point identified in step 1, update the access point to enforce user identity using the following AWS CLI command:
Replace
<access-point-id>with the actual ID of the EFS Access Point that needs to enforce user identity. ReplaceUid=1000,Gid=1000with the appropriate POSIX user identity that you want to enforce.
- For each EFS Access Point identified in step 1, update the access point to enforce user identity using the following AWS CLI command:
-
Verify the changes:
- After updating the EFS Access Points, verify that the user identity enforcement is in place by describing the access point again using the following AWS CLI command:
Ensure that the
PosixUserfield reflects the updated user identity settings.
- After updating the EFS Access Points, verify that the user identity enforcement is in place by describing the access point again using the following AWS CLI command:
Using Python
Using Python
To remediate the misconfiguration of EFS Access Points user identity not being enforced in AWS Kubernetes using Python, you can follow these steps:
-
Install the necessary Python libraries:
-
Use the following Python script to enforce user identity for EFS Access Points in AWS:
- Run the Python script to enforce user identity for all EFS Access Points in your AWS account.