Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-efs: EFS does not contain the mount access policy by default #33669

Open
1 task
samyak-jain opened this issue Mar 1, 2025 · 1 comment · May be fixed by #33671
Open
1 task

aws-efs: EFS does not contain the mount access policy by default #33669

samyak-jain opened this issue Mar 1, 2025 · 1 comment · May be fixed by #33671
Labels
@aws-cdk/aws-efs Related to Amazon Elastic File System bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@samyak-jain
Copy link

Describe the bug

Creating an EFS filesystem using defaults currently creates an unusable filesystem because, by default, the elasticfilesystem:ClientMount action is not present in the access policy of the file system.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

elasticfilesystem:ClientMount should be present by default in the EFS access policy.

Current Behavior

elasticfilesystem:ClientMount does not exist in the EFS access policy without providing your custom policy.

Reproduction Steps

Any barebones example for ECS and EFS that does not use a custom policy will face this issue.

const vpc = new ec2.Vpc(this, "AppVPC", {});
const filesystem = new efs.FileSystem(this, "ApplicationEFS", {
  vpc,
});
const efsSecurityGroup = new ec2.SecurityGroup(this, "EfsSecurityGroup", {
  vpc,
  description: "Allow EFS access",
});

efsSecurityGroup.addIngressRule(
  ec2.Peer.anyIpv4(),
  ec2.Port.tcp(2049),
  "Allow NFS traffic"
);
const cluster = new ecs.Cluster(this, "ApplicationCluster", { vpc });
const taskDefinition = new ecs.FargateTaskDefinition(this, "TaskDef");
taskDefinition.addVolume({
  name: "efs-volume",
  efsVolumeConfiguration: {
    fileSystemId: fileSystem.fileSystemId,
    transitEncryption: "ENABLED",
  },
});

const container = taskDefinition.addContainer("AppContainer", {
  image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
});

container.addMountPoints({
  sourceVolume: "efs-volume",
  containerPath: "/mnt/efs",
  readOnly: false,
});
new ecs.FargateService(this, "MyService", {
  cluster,
  taskDefinition,
  desiredCount: 1,
  securityGroups: [efsSecurityGroup],
});

Possible Solution

This should be a 1 line change where we add mount to the default policy.

Additional Information/Context

No response

CDK CLI Version

2.1001.0 (build 130445d)

Framework Version

No response

Node.js Version

v20.18.3

OS

Arch Linux

Language

TypeScript

Language Version

No response

Other information

No response
@samyak-jain samyak-jain added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 1, 2025
@github-actions github-actions bot added the @aws-cdk/aws-efs Related to Amazon Elastic File System label Mar 1, 2025
@pahud
Copy link
Contributor

pahud commented Mar 2, 2025

Hi,

After analyzing the code in packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts, I can see that we need to modify the access policy logic. In the FileSystem constructor where it creates the fileSystemPolicy, we need to modify the policy statement to include the ClientMount action when denying anonymous access.

aws-cdk/packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts

Lines 813 to 816 in d51f70a

actions: [
ClientAction.WRITE,
ClientAction.ROOT_ACCESS,
],

The key change is adding ClientAction.MOUNT to the actions array when creating the policy statement. This ensures that when anonymous access is not allowed, we explicitly handle the mount action in the policy.

@pahud pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Mar 2, 2025
@mazyu36 mazyu36 linked a pull request Mar 2, 2025 that will close this issue
Draft
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-efs Related to Amazon Elastic File System bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
2 participants
@pahud @samyak-jain