EFS Access Point Enforce User Identity

Overview

This check verifies that your Amazon EFS (Elastic File System) access points have a POSIX user identity configured. When an access point has a defined POSIX user (uid and gid), EFS enforces that identity for all file operations made through that access point, regardless of what the NFS client claims.

Risk

Without enforced POSIX identity on an access point, NFS clients can supply arbitrary user and group IDs. This opens the door to:

• User impersonation: A malicious client could claim to be any user and access files they should not see
• Unauthorized file access: Attackers could read or modify sensitive data by spoofing privileged user IDs
• Lateral movement: Compromising one application sharing a file system could grant access to another application's data
• Compliance violations: Lack of identity enforcement may violate audit requirements for access control

Configuring a POSIX user on access points ensures that the identity is controlled server-side, not by the client.

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to manage EFS access points, or
• AWS CLI configured with appropriate credentials
• The File System ID of your EFS file system (e.g., fs-12345678)

AWS Console Method

1. Open the Amazon EFS console
2. In the left navigation, click Access points
3. Find the access point that needs remediation (or click Create access point to create a new one)
4. To modify an existing access point, you must delete and recreate it with POSIX user settings (EFS access points cannot be modified after creation)
5. Click Create access point and select your file system
6. Under POSIX user, enter:
   • User ID: A numeric user ID (e.g., 1000)
   • Group ID: A numeric group ID (e.g., 1000)
   • Secondary group IDs (optional): Additional group memberships
7. Under Root directory path, specify the directory this access point will expose (e.g., /app-data)
8. If the directory does not exist, configure Root directory creation info:
   • Owner user ID: Same as POSIX user ID
   • Owner group ID: Same as POSIX group ID
   • Permissions: Directory permissions (e.g., 0755)
9. Click Create access point

Important: After creating the new access point, update your applications to mount using the new access point ID.

AWS CLI

To create an access point with enforced POSIX user identity:

aws efs create-access-point \
    --file-system-id <FILE_SYSTEM_ID> \
    --posix-user "Uid=1000,Gid=1000" \
    --root-directory "Path=/app-data,CreationInfo={OwnerUid=1000,OwnerGid=1000,Permissions=0755}" \
    --tags "Key=Name,Value=app-access-point" \
    --region us-east-1

Replace:

• <FILE_SYSTEM_ID> with your EFS file system ID (e.g., fs-12345678)
• 1000 with your desired user and group IDs
• /app-data with your desired root directory path

To list existing access points and check for missing POSIX users:

aws efs describe-access-points \
    --file-system-id <FILE_SYSTEM_ID> \
    --region us-east-1 \
    --query 'AccessPoints[*].{Id:AccessPointId,PosixUser:PosixUser}'

Access points without a PosixUser field (showing null) need to be recreated with POSIX user configuration.

To delete an access point that lacks POSIX user configuration:

aws efs delete-access-point \
    --access-point-id <ACCESS_POINT_ID> \
    --region us-east-1

Warning: Before deleting an access point, ensure no applications are actively using it. Update application mount configurations to use the new access point ID after recreation.

CloudFormation

Create an EFS access point with enforced POSIX user identity:

AWSTemplateFormatVersion: '2010-09-09'
Description: EFS Access Point with enforced POSIX user identity

Parameters:
  FileSystemId:
    Type: String
    Description: The ID of the EFS file system (e.g., fs-12345678)

  AccessPointName:
    Type: String
    Description: Name for the access point
    Default: app-access-point

  PosixUserId:
    Type: Number
    Description: POSIX user ID for the access point
    Default: 1000

  PosixGroupId:
    Type: Number
    Description: POSIX group ID for the access point
    Default: 1000

  RootDirectoryPath:
    Type: String
    Description: Path for the access point root directory
    Default: /app-data

Resources:
  EFSAccessPoint:
    Type: AWS::EFS::AccessPoint
    Properties:
      FileSystemId: !Ref FileSystemId
      PosixUser:
        Uid: !Ref PosixUserId
        Gid: !Ref PosixGroupId
      RootDirectory:
        Path: !Ref RootDirectoryPath
        CreationInfo:
          OwnerUid: !Ref PosixUserId
          OwnerGid: !Ref PosixGroupId
          Permissions: '0755'
      AccessPointTags:
        - Key: Name
          Value: !Ref AccessPointName

Outputs:
  AccessPointId:
    Description: ID of the EFS Access Point
    Value: !Ref EFSAccessPoint

  AccessPointArn:
    Description: ARN of the EFS Access Point
    Value: !GetAtt EFSAccessPoint.Arn

Deploy the stack:

aws cloudformation create-stack \
    --stack-name efs-access-point-stack \
    --template-body file://template.yaml \
    --parameters ParameterKey=FileSystemId,ParameterValue=<FILE_SYSTEM_ID> \
    --region us-east-1

Terraform

Create an EFS access point with enforced POSIX user identity:

variable "file_system_id" {
  description = "The ID of the EFS file system"
  type        = string
}

variable "posix_uid" {
  description = "POSIX user ID for the access point"
  type        = number
  default     = 1000
}

variable "posix_gid" {
  description = "POSIX group ID for the access point"
  type        = number
  default     = 1000
}

variable "root_directory_path" {
  description = "Path for the access point root directory"
  type        = string
  default     = "/app-data"
}

resource "aws_efs_access_point" "example" {
  file_system_id = var.file_system_id

  posix_user {
    uid = var.posix_uid
    gid = var.posix_gid
  }

  root_directory {
    path = var.root_directory_path
    creation_info {
      owner_uid   = var.posix_uid
      owner_gid   = var.posix_gid
      permissions = "0755"
    }
  }

  tags = {
    Name = "app-access-point"
  }
}

output "access_point_id" {
  description = "The ID of the EFS access point"
  value       = aws_efs_access_point.example.id
}

Apply the configuration:

terraform apply -var="file_system_id=fs-12345678"

Verification

After creating or updating your access point:

1. In the EFS console, click Access points in the left navigation
2. Select your access point and verify that POSIX user shows the configured User ID and Group ID

CLI verification

aws efs describe-access-points \
    --access-point-id <ACCESS_POINT_ID> \
    --region us-east-1 \
    --query 'AccessPoints[0].PosixUser'

Expected output should show your configured user and group IDs:

{
    "Uid": 1000,
    "Gid": 1000
}

If the output is null, the access point does not have POSIX user enforcement configured.

Additional Resources

• AWS Documentation: Working with Amazon EFS access points
• AWS Documentation: Using IAM to control file system data access
• AWS Security Hub EFS.4 control
• Prowler Check Documentation

Notes

• Access points cannot be modified after creation. To change the POSIX user configuration, you must delete and recreate the access point. Plan for application downtime or create the new access point first, then migrate.

• Avoid using uid/gid of 0 (root). Running as root defeats the purpose of identity enforcement. Use application-specific, non-privileged user IDs.

• Use separate access points for different applications. Each application should have its own access point with unique POSIX user settings and restricted root directory paths. This provides isolation between applications sharing the same file system.

• Combine with IAM policies for defense in depth. Use IAM conditions like elasticfilesystem:AccessPointArn to require that clients connect only through specific access points, preventing direct file system mounts that bypass access point controls.

• Secondary group IDs are optional. Use them when your application needs membership in multiple groups to access different directories or files on the file system.