When I try to follow example 3 in the following page to prepare for EFS file system policy in a cloudformation template, I notice that it will cause circular dependency.
https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html
{
"Id": "access-point-example03",
"Statement": [
{
"Sid": "access-point-statement-example03",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::555555555555:role/EfsAccessPointFullAccess"},
"Action": "elasticfilesystem:Client*",
"Resource": "arn:aws:elasticfilesystem:us-east-2:111122223333:file-system/fs-12345678",
"Condition": {
"StringEquals": {
"elasticfilesystem:AccessPointArn":"arn:aws:elasticfilesystem:us-east-2:555555555555:access-point/fsap-12345678" }
}
}
]
}
The file system policy is a part of the file system resource and it's referring the ARN of the access point. The access point resource must refer to the file system resource. Are there any ways that the condition can be written without the ARN of the access points such that the circular dependency can be avoided?
It seems not possible since there are only three conditions keys for client: aws:SecureTransport, elasticfilesystem:AccessPointArn, elasticfilesystem:AccessedViaMountTarget
So, it seems that we need to enforce the control in IAM policies if we also want to use Cloudformation.