v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 3 EFS access points should enforce a root directory

Description

This control checks if Amazon EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the default root directory of the file system).

When you enforce a root directory, the NFS client using the access point uses the root directory configured on the access point instead of the file system's root directory. Enforcing a root directory for an access point helps restrict data access by ensuring that users of the access point can only reach files of the specified subdirectory.

Remediation

For instructions on how to enforce a root directory for an Amazon EFS access point, see Enforcing a root directory with an access point in the Amazon Elastic File System User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_efs_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_efs_3 --share

SQL

This control uses a named query:

efs_access_point_enforce_root_directory

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_access_management
foundational_security_item_id = efs_3
plugin = aws
service = AWS/EFS