🎉 We are launching a new weekly show: Hot off the Cloud

🎉 We are launching a new weekly show

Enhance EFS file system protection with TLS and IAM

Andreas Wittig – 07 Sep 2022

Two significant aspects of data security are access restriction as well as confidentiality. In the following, you will learn two techniques to increase the security of data stored on an EFS file system (Amazon Elastic File System): enabling encryption of data in transit (TLS) and adding an authentication and authorization layer with IAM.

Enhance EFS file system protection with TLS and IAM

Prefer watching a video instead of reading this blog post? Here you go.

But let’s start with the initial situation.

Security Groups restrict traffic from EC2 to EFS

When EFS launched, the only way to restrict access to the network file system was to use security groups to control traffic tightly. As illustrated in the following figure, using a security group sg-ec2 for the EC2 instance and another security group sg-efs for the mount targets of the EFS file system allows restricting access to the EFS file system on the network layer.

Controlling access to EFS by using security groups

The following code snippet shows how to create an EFS file system, a mount target, as well as two security groups with the help of CloudFormation.

All the following code examples are from our book Amazon Web Services in Action (3rd edition).


Looking for a new challenge?

  • tecRacer

    Cloud Consultant • AWS Migrations

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Portugal, and Switzerland
    Assessment Transformation Change Management
  • DEMICON

    Senior Lead Full Stack Developer

    DEMICON • AWS Advanced Consulting Partner • Remote
    AWS JavaScript/TypeScript Angular React

FileSystem:
Type: 'AWS::EFS::FileSystem'
Properties:
Encrypted: true
ThroughputMode: bursting
PerformanceMode: generalPurpose
EFSClientSecurityGroup: # Attach to EC2 instance
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: 'EFS Mount target client'
VpcId: !Ref VPC
MountTargetSecurityGroup: # Attach to EFS mount target
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: 'EFS Mount target'
SecurityGroupIngress: # Allows traffic from EC2 instance with EFSClientSecurityGroup only
- IpProtocol: tcp
FromPort: 2049
ToPort: 2049
SourceSecurityGroupId: !Ref EFSClientSecurityGroup
VpcId: !Ref VPC
MountTargetA:
Type: 'AWS::EFS::MountTarget'
Properties:
FileSystemId: !Ref FileSystem
SecurityGroups:
- !Ref MountTargetSecurityGroup # Attaches the MountTargetSecurityGroup
SubnetId: !Ref SubnetA

By default, the data in transit between an EC2 instance and the EFS file system is not encrypted. But, even though the data does not leave your VPC in most scenarios, AWS recommends encrypting all data in transit.

Encryption in Transit (TLS) for EFS

It is pretty simple to enable encryption of the data in transit as EFS file systems support TLS out of the box. For this to work, you must establish a TLS tunnel to EFS before mounting on the EC2 instance. Doing so is quite simple. Install amazon-efs-utils and use the tool to mount EFS file systems, as illustrated in the following figure.

Encrypting data in transit for EFS

The following excerpt of a CloudFormation template explains the details. Direct your attention to the shell script executed via user data when the EC2 instance is first started.

EC2InstanceB:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: !FindInMap [RegionMap, !Ref 'AWS::Region', AMI]
InstanceType: 't2.micro'
IamInstanceProfile: !Ref IamInstanceProfile
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeleteOnTermination: true
DeviceIndex: 0
GroupSet:
- !Ref EFSClientSecurityGroup
SubnetId: !Ref SubnetB
UserData:
'Fn::Base64': !Sub |
#!/bin/bash -ex
trap '/opt/aws/bin/cfn-signal -e 1 --stack ${AWS::StackName} --resource EC2InstanceB --region ${AWS::Region}' ERR

# install dependencies
yum install -y nc amazon-efs-utils

# mount EFS file system
echo "${FileSystem}:/ /home efs _netdev,noresvport,tls 0 0" >> /etc/fstab
mount -a

/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2InstanceB --region ${AWS::Region}
Tags:
- Key: Name
Value: 'efs-b'
CreationPolicy:
ResourceSignal:
Timeout: PT10M

The user data script adds an entry to the /etc/fstab configuration file. The critical option is named tls which tells the efs-utils installed before establishing a TLS tunnel before mounting the network file system.

On top of that, use a file system policy to deny insecure access to the file system.

FileSystem:
Type: 'AWS::EFS::FileSystem'
Properties:
Encrypted: true
ThroughputMode: bursting
PerformanceMode: generalPurpose
FileSystemPolicy: # resource-based policy
Version: '2012-10-17'
Statement: # deny access when data in transit is not encrypted
- Effect: 'Deny'
Action: '*'
Principal:
AWS: '*'
Condition:
Bool:
'aws:SecureTransport': 'false'

The resource-based policy leads us to use IAM to authenticate and authorize requests to an EFS file system.

IAM authentication and authorization for EFS

By default, mounting an EFS file system does not require any authentication. Typically, only the security groups control access to a file system on the network level. But EFS supports IAM authentication for mounting network file systems as well.

Requiring IAM authentication and authorization for accessing EFS file systems

IAM for EFS requires two things:

  • Configuring a file system policy.
  • Attaching an IAM role to the EC2 instance.

An EFS file system without a file system policy does not require any authentication. But after defining such a resource-based policy, accessing the file system requires authentication and authorization via IAM. So when we added the file system policy to deny unencrypted traffic in the previous section, we also activated IAM authentication and authorization.

Luckily, the amazon-efs-utils do support not only TLS but also IAM. All you have to do is to add another mount parameter called iam to the /etc/fstab configuration file.

EC2InstanceB:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: !FindInMap [RegionMap, !Ref 'AWS::Region', AMI]
InstanceType: 't2.micro'
IamInstanceProfile: !Ref IamInstanceProfile
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeleteOnTermination: true
DeviceIndex: 0
GroupSet:
- !Ref EFSClientSecurityGroup
SubnetId: !Ref SubnetB
UserData:
'Fn::Base64': !Sub |
#!/bin/bash -ex
trap '/opt/aws/bin/cfn-signal -e 1 --stack ${AWS::StackName} --resource EC2InstanceB --region ${AWS::Region}' ERR

# install dependencies
yum install -y nc amazon-efs-utils

# mount EFS file system
echo "${FileSystem}:/ /home efs _netdev,noresvport,tls,iam 0 0" >> /etc/fstab
mount -a

/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2InstanceB --region ${AWS::Region}
Tags:
- Key: Name
Value: 'efs-b'
CreationPolicy:
ResourceSignal:
Timeout: PT10M

Of course, you need to assign an IAM role to the EC2 instance to grant access to the EFS file system. The following code snippet shows how to do so with CloudFormation.

IamRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- 'ec2.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: efs
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'elasticfilesystem:ClientRootAccess'
- 'elasticfilesystem:ClientWrite'
- 'elasticfilesystem:ClientMount'
Resource: !GetAtt 'FileSystem.Arn'

That’s it. With IAM, you added authentication and authorization at the application layer. So you are not only relying on security groups to control access to EFS file systems anymore.

Summary

To protect your data stored on EFS (Amazon Elastic File System), I recommend enabling and enforcing encryption in transit (TLS) as well as IAM authentication and authorization. The amazon-efs-utils support TLS and IAM out of the box.

Become a cloudonaut supporter

Andreas Wittig

Andreas Wittig ( Email, Twitter, or LinkedIn )

We launched the cloudonaut blog in 2015. Since then, we have published 360 articles, 49 podcast episodes, and 48 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

$
Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Christopher Hipwell, Jaap-Jan Frans, Jason Yorty, Jeff Finley, Jens Gehring, jhoadley, Johannes Grumböck, Johannes Konings, John Culkin, Jonas Mellquist, Juraj Martinka, Kamil Oboril, Ken Snyder, Markus Ellers, Ross Mohan, Ross Mohan, sam onaga, Satyendra Sharma, Shawn Tolidano, Simon Devlin, Thorsten Hoeger, Todd Valentine, Victor Grenu, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.