Prowler HUB

EFS access points should enforce a user identity

efs_access_point_enforce_user_identity

Serviceefs

This control checks whether Amazon EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point.

Risk

Without enforcing a user identity, access to the file system can become less controlled, leading to potential unauthorized access or modifications.

Run this check with Prowler CLI

prowler aws --checks efs_access_point_enforce_user_identity

Run in Prowler Cloud

ARN template

arn:aws:elasticfilesystem:{region}:{account-id}:access-point/{access-point-id}

Recommendation

Create or update the EFS access point to enforce a user identity using POSIX attributes for Uid and Gid.

Remediation

CLI

aws efs create-access-point --file-system-id <file-system-id> --posix-user Uid=<uid>,Gid=<gid>

Other

https://docs.aws.amazon.com/securityhub/latest/userguide/efs-controls.html#efs-4

Source Code

Resource Type

AwsEfsAccessPoint

References

https://docs.aws.amazon.com/config/latest/developerguide/efs-access-point-enforce-user-identity.html

Check MetadataEdit

Check CodeEdit