EFS Access Point Enforce Root Directory
Overview
This check verifies that Amazon EFS (Elastic File System) access points do not allow access to the root directory (/) of the file system. Access points should be configured with a specific subdirectory path to limit what applications can access.
Think of it like this: instead of giving someone keys to your entire house, you give them a key that only opens one room.
Risk
When an EFS access point uses / as its root directory, any application using that access point can browse and modify the entire file system. This creates several risks:
- Sensitive data exposure: Applications may read files they should not have access to
- Data tampering: A compromised application could modify or delete other applications' data
- Cross-application attacks: One vulnerable application could be used to attack data belonging to others
Severity: Medium
Remediation Steps
Prerequisites
You need access to the AWS Console or AWS CLI with permissions to manage EFS access points (elasticfilesystem:CreateAccessPoint, elasticfilesystem:DeleteAccessPoint, elasticfilesystem:DescribeAccessPoints).
AWS Console Method
- Open the Amazon EFS console
- In the left navigation, click Access points
- Find the access point that has
Root directory pathset to/ - Note the File system ID and any POSIX user settings (you will need these)
- Select the access point and click Delete
- Confirm the deletion
- Click Create access point to create a replacement
- Select the same File system ID
- Under Root directory path, enter a subdirectory like
/dataor/app-name - Configure the POSIX user settings as needed (user ID, group ID)
- Under Root directory creation permissions, set the owner UID, GID, and permissions (e.g.,
0755) - Click Create access point
Important: Update any applications using the old access point to use the new access point ID.
AWS CLI (optional)
Step 1: List access points to find those with root directory /
aws efs describe-access-points \
--region us-east-1 \
--query 'AccessPoints[?RootDirectory.Path==`/`].[AccessPointId,FileSystemId,RootDirectory.Path]' \
--output table
Step 2: Delete the problematic access point
aws efs delete-access-point \
--access-point-id fsap-0123456789abcdef0 \
--region us-east-1
Step 3: Create a new access point with a restricted root directory
aws efs create-access-point \
--file-system-id fs-0123456789abcdef0 \
--posix-user Uid=1000,Gid=1000 \
--root-directory "Path=/data,CreationInfo={OwnerUid=1000,OwnerGid=1000,Permissions=0755}" \
--region us-east-1
Replace the following placeholders:
fsap-0123456789abcdef0: Your access point IDfs-0123456789abcdef0: Your file system ID/data: Your desired subdirectory path1000: Your desired POSIX user and group IDs
CloudFormation (optional)
Use this CloudFormation template to create an EFS access point with a secure root directory:
AWSTemplateFormatVersion: '2010-09-09'
Description: EFS Access Point with enforced root directory
Parameters:
FileSystemId:
Type: String
Description: The ID of the EFS file system
RootDirectoryPath:
Type: String
Default: /data
Description: The root directory path for the access point (must not be /)
PosixUserId:
Type: Number
Default: 1000
Description: POSIX user ID for the access point
PosixGroupId:
Type: Number
Default: 1000
Description: POSIX group ID for the access point
Resources:
EFSAccessPoint:
Type: AWS::EFS::AccessPoint
Properties:
FileSystemId: !Ref FileSystemId
PosixUser:
Uid: !Ref PosixUserId
Gid: !Ref PosixGroupId
RootDirectory:
Path: !Ref RootDirectoryPath
CreationInfo:
OwnerUid: !Ref PosixUserId
OwnerGid: !Ref PosixGroupId
Permissions: '0755'
Outputs:
AccessPointId:
Description: The ID of the EFS access point
Value: !Ref EFSAccessPoint
AccessPointArn:
Description: The ARN of the EFS access point
Value: !GetAtt EFSAccessPoint.Arn
Deploy the template:
aws cloudformation create-stack \
--stack-name efs-secure-access-point \
--template-body file://template.yaml \
--parameters \
ParameterKey=FileSystemId,ParameterValue=fs-0123456789abcdef0 \
ParameterKey=RootDirectoryPath,ParameterValue=/data \
--region us-east-1
Terraform (optional)
Use this Terraform configuration to create an EFS access point with a secure root directory:
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
variable "file_system_id" {
description = "The ID of the EFS file system"
type = string
}
variable "root_directory_path" {
description = "The root directory path for the access point (must not be /)"
type = string
default = "/data"
validation {
condition = var.root_directory_path != "/"
error_message = "Root directory path must not be / to enforce security best practices."
}
}
variable "posix_user_id" {
description = "POSIX user ID for the access point"
type = number
default = 1000
}
variable "posix_group_id" {
description = "POSIX group ID for the access point"
type = number
default = 1000
}
resource "aws_efs_access_point" "this" {
file_system_id = var.file_system_id
posix_user {
uid = var.posix_user_id
gid = var.posix_group_id
}
root_directory {
path = var.root_directory_path
creation_info {
owner_uid = var.posix_user_id
owner_gid = var.posix_group_id
permissions = "0755"
}
}
tags = {
Name = "secure-access-point"
}
}
output "access_point_id" {
description = "The ID of the EFS access point"
value = aws_efs_access_point.this.id
}
output "access_point_arn" {
description = "The ARN of the EFS access point"
value = aws_efs_access_point.this.arn
}
Apply the configuration:
terraform init
terraform apply -var="file_system_id=fs-0123456789abcdef0"
Verification
After remediation, verify the fix:
- Go to the EFS console and click Access points
- Check that the Root directory path column shows a subdirectory (not
/) - Test that your application still works with the new access point
CLI verification commands
List all access points and their root directories:
aws efs describe-access-points \
--region us-east-1 \
--query 'AccessPoints[].[AccessPointId,FileSystemId,RootDirectory.Path]' \
--output table
Check for any remaining access points with root directory /:
aws efs describe-access-points \
--region us-east-1 \
--query 'AccessPoints[?RootDirectory.Path==`/`].AccessPointId' \
--output text
If the second command returns no output, all access points are properly configured.
Additional Resources
- AWS EFS Access Points Documentation
- Working with EFS Access Points
- EFS Security Best Practices
- AWS Security Hub EFS Controls
Notes
-
Application updates required: When you delete and recreate an access point, you get a new access point ID. Update your application configurations, Lambda functions, or ECS task definitions to use the new ID.
-
Directory creation: If the subdirectory path you specify does not exist, EFS will create it automatically when a client first connects (using the
CreationInfosettings you provide). -
POSIX permissions: The access point enforces the POSIX user and group you configure. This is in addition to the root directory restriction and provides another layer of access control.
-
No in-place modification: EFS access points cannot be modified after creation. You must delete and recreate them to change the root directory path.