Skip to content

chore(efs): scope down overly permissive AnyPrincipal in anonymous access policy #36290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
pahud wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

chore(efs): scope down overly permissive AnyPrincipal in anonymous access policy #36290

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
417ddf9
fix(efs): restrict anonymous access to account principals only
pahud Dec 3, 2025
b48956c
chore(efs): update integration test snapshots
pahud Dec 4, 2025
0cf4018
chore(efs): update integration test snapshots
pahud Dec 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -815,9 +815,23 @@ export class FileSystem extends FileSystemBase {
const denyAnonymousAccessByDefault = denyAnonymousAccessFlag || this._grantedClient;
const allowAnonymousAccess = props.allowAnonymousAccess ?? !denyAnonymousAccessByDefault;
if (!allowAnonymousAccess) {
// Create a simple ALLOW policy to block anonymous access.
// Per AWS documentation, when NO file system policy exists, EFS uses its default behavior
// which allows anonymous NFS access without IAM authentication. By creating ANY policy,
// EFS switches to IAM enforcement mode, which blocks anonymous clients (they have no IAM
// credentials to authenticate). IAM principals with proper identity permissions can still
// access the file system because this ALLOW policy permits their actions.
//
// We use AccountRootPrincipal to restrict access to IAM principals within this AWS account only.
// This prevents unintended cross-account access while still allowing same-account IAM principals
// to access the file system with proper identity-based permissions. For cross-account access,
// users should explicitly grant access using the grant methods or add specific principal ARNs.
//
// See: https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html
this.addToResourcePolicy(new iam.PolicyStatement({
principals: [new iam.AnyPrincipal()],
principals: [new iam.AccountRootPrincipal()],
actions: [
ClientAction.MOUNT,
ClientAction.WRITE,
ClientAction.ROOT_ACCESS,
],
Expand Down
15 changes: 10 additions & 5 deletions packages/aws-cdk-lib/aws-efs/test/efs-file-system.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -720,9 +720,10 @@ test('anonymous access is prohibited by default when using GrantRead', () => {
{
Effect: 'Allow',
Principal: {
AWS: '*',
AWS: { 'Fn::Join': [ '', [ 'arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root' ] ] },
},
Action: [
'elasticfilesystem:ClientMount',
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientRootAccess',
],
Expand Down Expand Up @@ -777,9 +778,10 @@ test('anonymous access is prohibited by default when using GrantReadWrite', () =
{
Effect: 'Allow',
Principal: {
AWS: '*',
AWS: { 'Fn::Join': [ '', [ 'arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root' ] ] },
},
Action: [
'elasticfilesystem:ClientMount',
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientRootAccess',
],
Expand Down Expand Up @@ -835,9 +837,10 @@ test('anonymous access is prohibited by default when using GrantRootAccess', ()
{
Effect: 'Allow',
Principal: {
AWS: '*',
AWS: { 'Fn::Join': [ '', [ 'arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root' ] ] },
},
Action: [
'elasticfilesystem:ClientMount',
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientRootAccess',
],
Expand Down Expand Up @@ -866,9 +869,10 @@ test('anonymous access is prohibited by the allowAnonymousAccess props even when
{
Effect: 'Allow',
Principal: {
AWS: '*',
AWS: { 'Fn::Join': [ '', [ 'arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root' ] ] },
},
Action: [
'elasticfilesystem:ClientMount',
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientRootAccess',
],
Expand Down Expand Up @@ -922,9 +926,10 @@ test('anonymous access is prohibited by the @aws-cdk/aws-efs:denyAnonymousAccess
{
Effect: 'Allow',
Principal: {
AWS: '*',
AWS: { 'Fn::Join': [ '', [ 'arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':root' ] ] },
},
Action: [
'elasticfilesystem:ClientMount',
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientRootAccess',
],
Expand Down
Loading