Control: 3 EFS access points should enforce a root directory

Description

This control checks if Amazon EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the default root directory of the file system).

When you enforce a root directory, the NFS client using the access point uses the root directory configured on the access point instead of the file system's root directory. Enforcing a root directory for an access point helps restrict data access by ensuring that users of the access point can only reach files of the specified subdirectory.

Remediation

For instructions on how to enforce a root directory for an Amazon EFS access point, see Enforcing a root directory with an access point in the Amazon Elastic File System User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_efs_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_efs_3 --share

SQL

This control uses a named query:

select
  access_point_arn as resource,
  case
    when root_directory ->> 'Path'= '/' then 'alarm'
    else 'ok'
  end as status,
  case
    when root_directory ->> 'Path'= '/' then title || ' not configured to enforce a root directory.'
    else title || ' configured to enforce a root directory.'
  end as reason
  
  , region, account_id
from
  aws_efs_access_point;

Control: 3 EFS access points should enforce a root directory

Description

Remediation

Usage

SQL

Tags