How to avoid circular dependencies between EFS and access point in file system policy of Cloudformation template

0

When I try to follow example 3 in the following page to prepare for EFS file system policy in a cloudformation template, I notice that it will cause circular dependency.

https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html

{
    "Id": "access-point-example03",
    "Statement": [
        {
            "Sid": "access-point-statement-example03",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::555555555555:role/EfsAccessPointFullAccess"},
            "Action": "elasticfilesystem:Client*",
            "Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-12345678",
            "Condition": { 
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn":"arn:aws:elasticfilesystem:us-east-2:555555555555:access-point/fsap-12345678" } 
            }            
        }
    ]
}

The file system policy is a part of the file system resource and it's referring the ARN of the access point. The access point resource must refer to the file system resource. Are there any ways that the condition can be written without the ARN of the access points such that the circular dependency can be avoided?

It seems not possible since there are only three conditions keys for client: aws:SecureTransport, elasticfilesystem:AccessPointArn, elasticfilesystem:AccessedViaMountTarget

So, it seems that we need to enforce the control in IAM policies if we also want to use Cloudformation.

1 Answer
0

Some findings after some experiments:

  1. No such issue with Terraform HCL since file system policy is a separate resource.
  2. Have tried with ECS tasks. It seems that EFS actions are implicitly allowed. An explicit deny IAM policy can be added to the task role to force the ECS task to access the file system through access point.
Alan
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions