🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 4 EFS access points should enforce a user identity

Description

This control checks whether Amazon EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point.

Amazon EFS access points are application-specific entry points into an EFS file system that make it easier to manage application access to shared datasets. Access points can enforce a user identity, including the user's POSIX groups, for all file system requests that are made through the access point. Access points can also enforce a different root directory for the file system so that clients can only access data in the specified directory or its subdirectories.

Remediation

To enforce a user identity for an Amazon EFS access point, see Enforcing a user identity using an access point in the Amazon Elastic File System User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_efs_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_efs_4 --share

SQL

This control uses a named query:

select
  access_point_arn as resource,
  case
    when posix_user is null then 'alarm'
    else 'ok'
  end as status,
  case
    when posix_user is null then title || ' does not enforce a user identity.'
    else title || ' enforces a user identity.'
  end as reason
  
  , region, account_id
from
  aws_efs_access_point;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_access_management
foundational_security_item_id = efs_4
plugin = aws
service = AWS/EFS