fix(efs): client mount permissions for EFS filesystem are not permitt…

…ed by default
aws · mazyu36 · Mar 2, 2025 · Mar 2, 2025 · Mar 2, 2025 · Mar 8, 2025
commit 3385a64f6b1ab2954f821143f3be787a7b8cb370
diff --git a/packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts b/packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts
@@ -808,18 +808,34 @@ export class FileSystem extends FileSystemBase {
           const denyAnonymousAccessByDefault = denyAnonymousAccessFlag || this._grantedClient;
           const allowAnonymousAccess = props.allowAnonymousAccess ?? !denyAnonymousAccessByDefault;
           if (!allowAnonymousAccess) {
-            this.addToResourcePolicy(new iam.PolicyStatement({
-              principals: [new iam.AnyPrincipal()],
-              actions: [
-                ClientAction.WRITE,
-                ClientAction.ROOT_ACCESS,
-              ],
-              conditions: {
-                Bool: {
-                  'elasticfilesystem:AccessedViaMountTarget': 'true',
+            if (FeatureFlags.of(this).isEnabled(cxapi.EFS_DEFAULT_ALLOW_CLIENT_MOUNT)) {
+              this.addToResourcePolicy(new iam.PolicyStatement({
+                principals: [new iam.AnyPrincipal()],
+                actions: [
+                  ClientAction.MOUNT,
+                  ClientAction.WRITE,
+                  ClientAction.ROOT_ACCESS,
+                ],
+                conditions: {
+                  Bool: {
+                    'elasticfilesystem:AccessedViaMountTarget': 'true',
+                  },
                 },
-              },
-            }));
+              }));
+            } else {
+              this.addToResourcePolicy(new iam.PolicyStatement({
+                principals: [new iam.AnyPrincipal()],
+                actions: [
+                  ClientAction.WRITE,
+                  ClientAction.ROOT_ACCESS,
+                ],
+                conditions: {
+                  Bool: {
+                    'elasticfilesystem:AccessedViaMountTarget': 'true',
+                  },
+                },
+              }));
+            }
           }
           return this._fileSystemPolicy;
         },
@@ -904,8 +920,8 @@ export class FileSystem extends FileSystemBase {
       const isNotUnresolvedToken = (x: string) => !Token.isUnresolved(x);
       const isNotDummy = (x: string) => !x.startsWith('dummy');
       if (this.props.vpc.availabilityZones.every(isNotUnresolvedToken) &&
-      this.props.vpc.availabilityZones.every(isNotDummy) &&
-      !this.props.vpc.availabilityZones.includes(this.props.vpcSubnets.availabilityZones[0])) {
+        this.props.vpc.availabilityZones.every(isNotDummy) &&
+        !this.props.vpc.availabilityZones.includes(this.props.vpcSubnets.availabilityZones[0])) {
         throw new Error('vpcSubnets.availabilityZones specified is not in vpc.availabilityZones.');
       }
     }

diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts
@@ -124,6 +124,7 @@ export const ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT = '@
 export const IAM_OIDC_REJECT_UNAUTHORIZED_CONNECTIONS = '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections';
 export const ENABLE_ADDITIONAL_METADATA_COLLECTION = '@aws-cdk/core:enableAdditionalMetadataCollection';
 export const LAMBDA_CREATE_NEW_POLICIES_WITH_ADDTOROLEPOLICY = '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy';
+export const EFS_DEFAULT_ALLOW_CLIENT_MOUNT = '@aws-cdk/aws-efs:defaultAllowClientMount';
 
 export const FLAGS: Record<string, FlagInfo> = {
   //////////////////////////////////////////////////////////////////////
@@ -1152,8 +1153,8 @@ export const FLAGS: Record<string, FlagInfo> = {
       '**Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**',
     detailsMd: `
     In an ECS Cluster with \`MachineImageType.AMAZON_LINUX_2\`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from
-    accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this 
-    feature alone with this feature flag will be deprecated by <ins>**end of 2025**</ins> as CDK cannot 
+    accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this
+    feature alone with this feature flag will be deprecated by <ins>**end of 2025**</ins> as CDK cannot
     guarantee the correct execution of the feature in all platforms. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information.
     It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration.
     `,
@@ -1171,9 +1172,9 @@ export const FLAGS: Record<string, FlagInfo> = {
     detailsMd: `
     In an ECS Cluster with \`MachineImageType.AMAZON_LINUX_2\`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from
     accessing IMDS. CDK cannot guarantee the correct execution of the feature in all platforms. Setting this feature flag
-    to true will ensure CDK does not attempt to implement IMDS blocking. By <ins>**end of 2025**</ins>, CDK will remove the 
+    to true will ensure CDK does not attempt to implement IMDS blocking. By <ins>**end of 2025**</ins>, CDK will remove the
     IMDS blocking feature. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information.
-    
+
     It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration.
     `,
     introducedIn: { v2: '2.175.0' },
@@ -1366,7 +1367,7 @@ export const FLAGS: Record<string, FlagInfo> = {
     detailsMd: `
       When this feature flag is enabled, the default behaviour of OIDC Provider's custom resource handler will
       default to reject unauthorized connections when downloading CA Certificates.
-      
+
       When this feature flag is disabled, the behaviour will be the same as current and will allow downloading
       thumbprints from unsecure connections.`,
     introducedIn: { v2: '2.177.0' },
@@ -1381,7 +1382,7 @@ export const FLAGS: Record<string, FlagInfo> = {
     detailsMd: `
     When this feature flag is enabled, CDK expands the scope of usage data collection to include the following:
       * L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects.
-      * L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted. 
+      * L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted.
       * L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type.
     `,
     introducedIn: { v2: '2.178.0' },
@@ -1393,13 +1394,30 @@ export const FLAGS: Record<string, FlagInfo> = {
     type: FlagType.BugFix,
     summary: 'When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement',
     detailsMd: `
-      When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. 
+      When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy.
       The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement.
       This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions.
     `,
     introducedIn: { v2: '2.180.0' },
     recommendedValue: true,
   },
+
+  //////////////////////////////////////////////////////////////////////
+  [EFS_DEFAULT_ALLOW_CLIENT_MOUNT]: {
+    type: FlagType.BugFix,
+    summary: 'When enabled, EFS will allow clients to mount and access the filesystem by default',
+    detailsMd: `
+      When this feature flag is enabled, EFS will add MOUNT, WRITE, and ROOT_ACCESS permissions to clients
+      accessing the filesystem via mount target by default. Without this flag, only WRITE and ROOT_ACCESS
+      permissions are granted.
+
+      This resolves an issue where clients could have permission to write to the filesystem but were unable to
+      properly mount it, leading to access problems. By automatically including the MOUNT permission alongside
+      the existing WRITE and ROOT_ACCESS permissions, clients can fully interact with the EFS resources as expected.
+    `,
+    introducedIn: { v2: 'V2NEXT' },
+    recommendedValue: true,
+  },
 };
 
 const CURRENT_MV = 'v2';