EFS Access Points are not enforcing a root directory
Description
This policy is verifying that Amazon Elastic File System (EFS) access points are configured to enforce a root directory. If an EFS access point doesn't enforce setting a root directory, it may allow unrestricted access to all directories in the file system, leading to potential unauthorized data access or threats to data security. Therefore, not enforcing a root directory in EFS access points could pose a significant security risk.
Code Example
go
resource "aws_efs_access_point" "example" {
file_system_id = aws_efs_file_system.example.id
root_directory {
path = "/example"
creation_info {
owner_gid = 1000
owner_uid = 1000
permissions = "755"
}
}
}Remediation
Terraform
- Resource: aws_efs_access_point
- Arguments: root_directory.path
To fix this issue, you should define a root directory for the EFS access point. The root directory will enforce the access point to only allow the NFS client to access data within this root directory and not above it. This limits the scope of access and provides an added layer of security.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0376 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_329 |