When is the EFS policy condition elasticfilesystem:AccessedViaMountTarget false? Can an EFS volume be accessed without a mount target?

Question

I've been looking into EFS file system policies, and still haven't understood what kind of access would be blocked in this policy:

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55",
    "Statement": [
        {
            "Sid": "efs-statement-14a7191c-9401-40e7-a388-6af6cfb7dd9c",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ],
            "Condition": {
                "Bool": {
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        }
    ]
}

But not in this one (without the condition):

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55",
    "Statement": [
        {
            "Sid": "efs-statement-14a7191c-9401-40e7-a388-6af6cfb7dd9c",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ]
        }
    ]
}

As I understand it, mount targets are what gives your EFS volume an IP for you to access it. Is it possible to have an access that is not via a mount target?

How did it go? Is it still unclear what's the difference between the policies? — Marcin, Mar 19 '22 at 11:02

score 2 · Answer 1 · answered Mar 14 '22 at 00:11

2

The second policy is considered a public access policy for the EFS. The meaning of "public" is different then, for example, in a public s3 buckets.

From what I understand, for the end user there is no difference between public and non-public. The only difference seems to be related to internal systems that AWS uses. Namely for AWS Transfer Family. From docs:

When you use Amazon EFS with AWS Transfer Family, file system access requests received from a Transfer Family server that is owned by a different account than the file system are blocked if the file system allows public access.

Since the second policy is considered a public, AWS Transfer Family will not work with EFS. Thus you have to ensure that your filesystem is non-public.

answered Mar 14 '22 at 00:11

Marcin

215,873
14
235
294

Yes, they are considered as non-public by Transfer Family (actually, I copied the examples from that exact page :) ). But if you check all other values that make a policy non-public, they are limiting some kind of access: to a certain VPC, to a certain account, etc. But what does AccessedViaMountTarget block for it to not be considered public anymore? Its name implies it can be accessed without going through a mount target, but I failed to find a case of that. That's what I want to find out. – Leonardo Dagnino Mar 14 '22 at 15:58
@LeonardoDagnino I'm not aware of any method to access EFS without mount targets. It must be internal AWS system issue. Thus they introduce this "hack" with policies. – Marcin Mar 14 '22 at 23:48
@Marcin: can I use this policy as IAM policy attach to IAM user or SCP policy instead of EFS file system policy, I don't know if they work the same. Because I tried to create Transfer Family, the wizard did not require to input any existing EFS – Tien Dung Tran Mar 22 '22 at 10:21

When is the EFS policy condition elasticfilesystem:AccessedViaMountTarget false? Can an EFS volume be accessed without a mount target?

1 Answers1