Check provider logo

EFS file system has all access points with a defined POSIX user

efs_access_point_enforce_user_identity

Severitymedium
Serviceefs
by Prowler
identity-access

Amazon EFS access points are evaluated for a defined POSIX user (uid, gid, optional secondary groups). The check inspects each access point on a file system and flags those without a configured POSIX user identity.

Risk

Without enforced POSIX identity, NFS clients can supply arbitrary UIDs/GIDs, enabling impersonation, unauthorized reads/writes, and ownership spoofing. This undermines confidentiality and integrity of shared data and can enable lateral movement across applications sharing the file system.

Run this check with Prowler CLI

prowler aws --checks efs_access_point_enforce_user_identity

Run in Prowler Cloud

Recommendation

Enforce a POSIX user identity on every access point using least-privilege uid/gid (avoid 0). Apply separation of duties with dedicated access points per application and minimal groups. Use IAM to require access point usage and add defense in depth by enforcing a restricted root directory.

Remediation

Native IAC
Resources:
  ExampleAccessPoint:
    Type: AWS::EFS::AccessPoint
    Properties:
      FileSystemId: "<example_resource_id>"
      PosixUser:               # Critical: enforces a POSIX user for all requests via this access point
        Uid: "<uid>"          # Critical: POSIX user ID enforced
        Gid: "<gid>"          # Critical: POSIX group ID enforced
Terraform
resource "aws_efs_access_point" "example" {
  file_system_id = "<example_resource_id>"

  # Critical: enforces a POSIX user for all requests via this access point
  posix_user {
    uid = 1000  # Critical: user ID enforced
    gid = 1000  # Critical: group ID enforced
  }
}
Other
  1. In the AWS Console, go to Amazon EFS > Access points
  2. Click Create access point, select the file system, and set POSIX user: enter User ID and Group ID
  3. Click Create access point
  4. Update clients to mount using the new access point ID
  5. Delete the old access point(s) that lack a POSIX user

Source Code

Resource Type

AwsEfsAccessPoint

References