Now you can analyze IAM access to Amazon Elastic File System (EFS) APIs and file systems with k9 Security. Elastic File System is a Serverless, fully elastic block file storage that automatically grows and shrinks as you add and remove files with no need for management or provisioning. But it is difficult to understand what IAM users and roles (principals) could do with EFS file systems net of all the security policies in an account. Now k9 Security reports which IAM principals can administer EFS resources and read, write, or delete data on EFS file systems.

If you’re wondering which IAM principals can access your EFS APIs and file systems, k9 can give you a short list to review. k9 analyzes AWS accounts and reports which IAM principals in your account can use the EFS APIs (e.g. elasticfilesystem:DeleteFileSystem). Critically, k9 also reports what principals can do to each of your EFS file systems. This is particularly useful because both EFS supports attaching a resource policy to a file system, which is a common way to grant principals access to the file system’s data, in addition to access granted by identity policies attached to the principal.

k9 simplifies understanding each principal’s access to APIs and resources by mapping it to a k9 access capability such as administer-resource or delete-data.

Analyze access to EFS APIs and file systems

k9 analyzes access to Elastic File System APIs and table resources then reports each IAM user or role’s access capabilities.

Analyze which EFS APIs and file systems an IAM principal can access using the k9 principal access summary:

Analyze principals' access to EFS APIs and file systems

Figure 1. Analyze principals’ access to EFS APIs and file systems

This principal access summary shows that the AWSReservedSSO_AdministratorAccess role can use the EFS APIs to administer-resource, read-config, read-data, write-data, and delete-data (rows where ‘Resource ARN’ is blank).

The admin role has those same permissions to the file system with id fs-07908eaf254fedc26. Importantly, there is no security policy preventing the admin role from deleting the fs-07908eaf254fedc26 file system. (Note: Unwanted API actions for a particular resource could be denied using a file system resource policy, Service Control Policy on the account, or Permissions Boundary on the user/role.)

The k9-auditor role uses the AWS Managed SecurityAudit policy. That policy grants permission to read configuration of EFS APIs and resources. The k9-auditor role has read-config capabilities for both the EFS APIs generally and file system resources.

If you want to see who has access to a specific EFS file system, use the k9 resource access summary. This shows who has access to the fs-07908eaf254fedc26 file system, displayed here with the friendly int-test-01 resource name (Resource ARN column hidden for brevity):

Analyze who can access a specific EFS file system resource.

Image shows who has access to the in-test-01 EFS file system.

Figure 2. Analyze who can access a specific EFS file system resource

The resource access summary enables data owners to understand who has access to their data quickly and verify access is correct (k9 Security Kata 4).

Review and right-size access to EFS APIs and file systems with k9

Amazon Elastic File System gives you a way to manage unlimited files in the cloud easily. Manage risk to critical data by continuously reviewing and adjusting access to EFS file systems and APIs.

We hope k9’s new EFS API and file system access analysis helps you identify and remediate risks in your AWS accounts. We are happy to answer any questions!