docs

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -90,6 +90,7 @@ Flags come in three types:
 | [@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections](#aws-cdkaws-iamoidcrejectunauthorizedconnections) | When enabled, the default behaviour of OIDC provider will reject unauthorized connections | 2.177.0 | (fix) |
 | [@aws-cdk/core:enableAdditionalMetadataCollection](#aws-cdkcoreenableadditionalmetadatacollection) | When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues. | 2.178.0 | (config) |
 | [@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy](#aws-cdkaws-lambdacreatenewpolicieswithaddtorolepolicy) | When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement | 2.180.0 | (fix) |
+| [@aws-cdk/aws-efs:defaultAllowClientMount](#aws-cdkaws-efsdefaultallowclientmount) |When enabled, EFS will allow clients to mount and access the filesystem by default | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -167,7 +168,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
     "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
     "@aws-cdk/core:enableAdditionalMetadataCollection": true,
-    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true,
+    "@aws-cdk/aws-efs:defaultAllowClientMount": true
   }
 }
 ```
@@ -1021,10 +1023,10 @@ removing these ingress/egress rules in order to restrict access to the default s
 | (not in v1) |  |  |
 | 2.78.0 | `false` | `true` |
 
-**Compatibility with old behavior:** 
+**Compatibility with old behavior:**
       To allow all ingress/egress traffic to the VPC default security group you
       can set the `restrictDefaultSecurityGroup: false`.
-    
+
 
 
 ### @aws-cdk/aws-kms:aliasNameRef
@@ -1082,10 +1084,10 @@ provided.
 | (not in v1) |  |  |
 | 2.88.0 | `false` | `true` |
 
-**Compatibility with old behavior:** 
+**Compatibility with old behavior:**
       If backwards compatibility needs to be maintained due to an existing autoscaling group
       using a launch config, set this flag to false.
-    
+
 
 
 ### @aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby
@@ -1603,7 +1605,7 @@ If the flag is set to false then a custom resource will be created when using `U
 
 In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from
 accessing IMDS. CDK cannot guarantee the correct execution of the feature in all platforms. Setting this feature flag
-to true will ensure CDK does not attempt to implement IMDS blocking. By <ins>**end of 2025**</ins>, CDK will remove the 
+to true will ensure CDK does not attempt to implement IMDS blocking. By <ins>**end of 2025**</ins>, CDK will remove the
 IMDS blocking feature. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information.
 
 It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration.
@@ -1622,8 +1624,8 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl
 *When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)*** (temporary)
 
 In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from
-accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this 
-feature alone with this feature flag will be deprecated by <ins>**end of 2025**</ins> as CDK cannot 
+accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this
+feature alone with this feature flag will be deprecated by <ins>**end of 2025**</ins> as CDK cannot
 guarantee the correct execution of the feature in all platforms. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information.
 It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration.
 
@@ -1680,7 +1682,7 @@ thumbprints from unsecure connections.
 
 When this feature flag is enabled, CDK expands the scope of usage data collection to include the following:
   * L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects.
-  * L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted. 
+  * L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted.
   * L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type.
 
 
@@ -1694,7 +1696,7 @@ When this feature flag is enabled, CDK expands the scope of usage data collectio
 
 *When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement* (fix)
 
-When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. 
+When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy.
 The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement.
 This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions.
 
@@ -1705,4 +1707,20 @@ This solves an issue where a circular dependency could occur if adding lambda to
 | 2.180.0 | `false` | `true` |
 
 
+### @aws-cdk/aws-efs:defaultAllowClientMount
+
+*When enabled, EFS will allow clients to mount and access the filesystem by default* (fix)
+
+When this feature flag is enabled, EFS will add read-only, write, and root access permissions to clients
+accessing the filesystem via mount target by default. Without this flag, only write and root access permissions are granted.
+
+This resolves an issue where clients could have permission to write to the filesystem but were unable to properly mount it, leading to access problems.
+By automatically including the read-only permission alongside the existing write and root access permissions, clients can fully interact with the EFS resources as expected.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
 <!-- END details -->

packages/aws-cdk-lib/cx-api/README.md

@@ -615,7 +615,7 @@ _cdk.json_
 
 * `@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy`
 
-When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. 
+When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy.
 The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement.
 This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions.
 
@@ -627,4 +627,22 @@ _cdk.json_
     "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true
   }
 }
-```
+```
+
+* `@aws-cdk/aws-efs:defaultAllowClientMount`
+
+When this feature flag is enabled, EFS will add read-only, write, and root access permissions to clients
+accessing the filesystem via mount target by default. Without this flag, only write and root access permissions are granted.
+
+This resolves an issue where clients could have permission to write to the filesystem but were unable to properly mount it, leading to access problems.
+By automatically including the read-only permission alongside the existing write and root access permissions, clients can fully interact with the EFS resources as expected.
+
+_cdk.json_
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-efs:defaultAllowClientMount": true
+  }
+}
+```

packages/aws-cdk-lib/cx-api/lib/features.ts

@@ -1407,13 +1407,13 @@ export const FLAGS: Record<string, FlagInfo> = {
     type: FlagType.BugFix,
     summary: 'When enabled, EFS will allow clients to mount and access the filesystem by default',
     detailsMd: `
-      When this feature flag is enabled, EFS will add MOUNT, WRITE, and ROOT_ACCESS permissions to clients
+      When this feature flag is enabled, EFS will add read-only, write, and root access permissions to clients
       accessing the filesystem via mount target by default. Without this flag, only WRITE and ROOT_ACCESS
       permissions are granted.
 
       This resolves an issue where clients could have permission to write to the filesystem but were unable to
-      properly mount it, leading to access problems. By automatically including the MOUNT permission alongside
-      the existing WRITE and ROOT_ACCESS permissions, clients can fully interact with the EFS resources as expected.
+      properly mount it, leading to access problems. By automatically including the read-only permission alongside
+      the existing write and root access permissions, clients can fully interact with the EFS resources as expected.
     `,
     introducedIn: { v2: 'V2NEXT' },
     recommendedValue: true,