Blocking public access - Amazon Elastic File System

Blocking public access

The Amazon EFS block public access feature provides settings to help you manage public access to Amazon EFS file systems. By default, new Amazon EFS file systems don't allow public access. However, you can modify file system policies to allow public access.

Blocking public access with AWS Transfer Family

When you use Amazon EFS with AWS Transfer Family, file system access requests received from a Transfer Family server that is owned by a different account than the file system are blocked if the file system allows public access. Amazon EFS evaluates the file system's IAM policies, and if the policy is public, it blocks the request. To permit AWS Transfer Family access to your file system, update your file system policy so that it is not considered public.

Note

Using Transfer Family with Amazon EFS is disabled by default for AWS accounts that have EFS file systems with policies that allow public access that were created before January 6, 2021. To enable using Transfer Family to access your file system, contact AWS Support.

The meaning of "public"

When evaluating whether a file system allows public access, Amazon EFS assumes that the file system policy is public. It then evaluates the file system policy to determine if it qualifies as non-public. To be considered non-public, a file system policy must grant access only to fixed values (values that don't contain a wild card) of one or more of the following:

  • A set of Classless Inter-Domain Routings (CIDRs), using aws:SourceIp. For more information about CIDR, see RFC 4632 on the RFC Editor website.

  • An AWS principal, user, role, or service principal (for example, aws:PrincipalOrgID)

  • aws:SourceArn

  • aws:SourceVpc

  • aws:SourceVpce

  • aws:SourceOwner

  • aws:SourceAccount

  • elasticfilesystem:AccessedViaMountTarget

  • aws:userid, outside the pattern "AROLEID:*"

Under these rules, the following example policy is considered public.

{ "Version": "2012-10-17", "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55", "Statement": [ { "Sid": "efs-statement-14a7191c-9401-40e7-a388-6af6cfb7dd9c", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientRootAccess" ] } ] }

You can make this file system policy non-public by using the EFS condition key elasticfilesystem:AccessedViaMountTarget set to true. You can use elasticfilesystem:AccessedViaMountTarget to allow the specified EFS actions to clients accessing the EFS file system using a file system mount target. The following non-public policy uses the elasticfilesystem:AccessedViaMountTarget condition key set to true.

{ "Version": "2012-10-17", "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55", "Statement": [ { "Sid": "efs-statement-14a7191c-9401-40e7-a388-6af6cfb7dd9c", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite", "elasticfilesystem:ClientRootAccess" ], "Condition": { "Bool": { "elasticfilesystem:AccessedViaMountTarget": "true" } } } ] }

For more information about Amazon EFS condition keys, see EFS Condition Keys for Clients. For more information about creating file system policies, see Creating file system policies.