EFS file system has all access points with a defined POSIX user
efs_access_point_enforce_user_identity
Amazon EFS access points are evaluated for a defined POSIX user (uid, gid, optional secondary groups). The check inspects each access point on a file system and flags those without a configured POSIX user identity.
Risk
Without enforced POSIX identity, NFS clients can supply arbitrary UIDs/GIDs, enabling impersonation, unauthorized reads/writes, and ownership spoofing. This undermines confidentiality and integrity of shared data and can enable lateral movement across applications sharing the file system.
prowler aws --checks efs_access_point_enforce_user_identity
Recommendation
Enforce a POSIX user identity on every access point using least-privilege uid/gid (avoid 0). Apply separation of duties with dedicated access points per application and minimal groups. Use IAM to require access point usage and add defense in depth by enforcing a restricted root directory.
Remediation
- In the AWS Console, go to Amazon EFS > Access points
- Click Create access point, select the file system, and set POSIX user: enter User ID and Group ID
- Click Create access point
- Update clients to mount using the new access point ID
- Delete the old access point(s) that lack a POSIX user
Source Code
Resource Type
AwsEfsAccessPoint
References
- https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html
- https://repost.aws/knowledge-center/efs-access-points-directory-access
- https://www.plerion.com/cloud-knowledge-base/efs-access-points-should-be-configured-to-enforce-a-user-identity
- https://docs.aws.amazon.com/efs/latest/ug/enforce-identity-access-points.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/efs-controls.html#efs-4