New EFS access control is available now


I have been using EFS for a while to store my shared application data. Generally speaking it is good in terms of scalability and performance. My concern is mostly around the security, as it only uses security group to control the access. It is a risk if it is used in a multi-tenants environments, as there is no granular access control to the directories on the same EFS.

AWS had this concern as well I think. Otherwise they wont release a new feature 🙂 – New for Amazon EFS – IAM Authorization and Access Points

In short, now you are able to use IAM to control the (read/write/root) access to the EFS, and use Access Point to control who (uid, gid) have what (file system path) permissions (e.g 644). The best practice is to use both to meet the security requirements at different layers.

Sample command:

sudo mount -t efs -o iam,tls,accesspoint=fsap-0204ce67a2208742e fs-d1188b58 /mnt/shared

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s