EFS File system policy with IAM Instance Profile collision

0

There is a EFS volume with below as the File System Policy

{
    "Version": "2012-10-17",
    "Id": "read-only-example-policy02",
    "Statement": [
        {
            "Sid": "efsReadOnlyFS",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:role/InstanceProfile"
            },
            "Action": "elasticfilesystem:ClientMount",
            "Resource": "arn:aws:elasticfilesystem:us-east-2:<account_id>:file-system/fs-id"
        }
    ]
}

The Role InstaceProfile is the role attached to a EC2 Instance. Now, this Instance Profile has IAM policy with elasticfilesystem:* which grant it ALL ACCESS on the EFS.

Now, even though the File System policy makes it Read only, I am still able to mount the EFS and write files into it. Shouldn't the File System Policy take precedence over the Instance profile permissions?

1개 답변
1
수락된 답변

Good question!

In this case, your File System policy is a resource policy and the instance policy would be considered an IAM Identity Policy. For resources in the same account, these are treated as a logical or. It is also important to remember policy evaluation logic.

First, Explicit Denies are evaluated, then Explicit Allows, then Implicit Denies.

Explicit Denies --> Explicit Allows --> Implicit Denies

In this case, your EFS policy is an Allow for read, so if the instance policy has an explicit allow for writing, it will not be denied. If you're looking to secure the EFS volume further, you would need to use an explicit deny on the policy itself (and you can use this in conjunction with allows).

jsonc
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠