Trying to mount EFS on EC2 using AWS CDK but failing due to File System Policy created in EFS

0

I am trying to mount EFS on EC2 instances with the help of user data script using AWS CDKv2.158.0 and both are in the same VPC. While trying to do that, mount is failing due to a File System Policy which is being created and this Policy is stopping EC2 to mount the EFS. Once, i delete this policy or allow this action in the policy "elasticfilesystem:ClientMount" then EFS is successfully mounting on EC2 instance during initial bootstrap. I don't want this policy to be created during EFS file system setup but failing to do so. When i am trying to add a custom policy, it is adding a custom policy but also adding a default policy which is creating problems.

IAM Role attached to EC2 has given administrator access for testing but did not solve the issue.

Please help me how can i get rid of this default policy or only set the customized policy which i want? Even the **file_system_policy=None and enable_automatic_backups=False parameters are not working. **

Default file system policy which is appearing

{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite"
],
"Resource": "arn:aws:elasticfilesystem:ap-south-1:123456789:file-system/fs-07d1f0b57601866ae",
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
}
    # Step 1: Define the custom EFS policy
        efs_policy = iam.PolicyDocument(
            statements=[
                iam.PolicyStatement(
                    effect=iam.Effect.ALLOW,
                    principals=[iam.AnyPrincipal()],
                    actions=[
                        "elasticfilesystem:ClientRootAccess",
                        "elasticfilesystem:ClientMount",
                        "elasticfilesystem:ClientWrite"
                    ],
                    resources=["*"],
                    conditions={
                        "Bool": {
                            "elasticfilesystem:AccessedViaMountTarget": "true"
                        }
                    }
                )
            ]
        )
# Create EFS File System
        file_system = efs.FileSystem(self, "MyEfsFileSystem",
            vpc=vpc,
            vpc_subnets=ec2.SubnetSelection(subnet_group_name="PrivateSubnetASG"),
            security_group=efs_security_group,
            removal_policy=RemovalPolicy.DESTROY,  # CAUTION: This will delete the EFS when the stack is destroyed
            lifecycle_policy=efs.LifecyclePolicy.AFTER_14_DAYS,  # Transition files to Infrequent Access after 14 days
            performance_mode=efs.PerformanceMode.GENERAL_PURPOSE,
            throughput_mode=efs.ThroughputMode.BURSTING,
            # file_system_policy=None,  # This ensures no File System Policy is applied
            file_system_policy=efs_policy,  # Using customized policy
            enable_automatic_backups=False  # Disables automatic backups which might add a default policy
        )
1 Answer
2
Accepted Answer

The issue you're experiencing with the EFS File System Policy is a common one when using AWS CDK to create EFS resources. The default behavior of the CDK is to create a File System Policy even if you don't explicitly specify one. This is done for security reasons, but it can cause issues like the one you're encountering.

To address this problem, you have a few options:

  1. Use the allowAnonymousAccess property: Set this to true when creating your FileSystem. This will allow access from anonymous clients without IAM authentication, which should prevent the creation of the restrictive default policy.

  2. Modify your custom policy: Ensure that your custom policy includes all necessary permissions, including elasticfilesystem:ClientMount. Your current custom policy looks good, but make sure it's being applied correctly.

  3. Use the addToResourcePolicy method: Instead of setting the policy during creation, you can add your custom policy after the FileSystem is created using the addToResourcePolicy method.

  4. Check CDK version and feature flags: Ensure you're using the latest version of CDK and check if there are any feature flags that might be affecting the default behavior.

Here's an example of how you might modify your code:

const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
vpc: vpc,
vpcSubnets: { subnetGroupName: 'PrivateSubnetASG' },
securityGroup: efs_security_group,
removalPolicy: cdk.RemovalPolicy.DESTROY,
lifecyclePolicy: efs.LifecyclePolicy.AFTER_14_DAYS,
performanceMode: efs.PerformanceMode.GENERAL_PURPOSE,
throughputMode: efs.ThroughputMode.BURSTING,
allowAnonymousAccess: true, // This should prevent the default restrictive policy
enableAutomaticBackups: false
});

// If you still need to add a custom policy, you can do so after creation:
fileSystem.addToResourcePolicy(new iam.PolicyStatement({
actions: ['elasticfilesystem:ClientMount', 'elasticfilesystem:ClientWrite', 'elasticfilesystem:ClientRootAccess'],
principals: [new iam.AnyPrincipal()],
resources: ['*'],
conditions: {
Bool: {
'elasticfilesystem:AccessedViaMountTarget': 'true'
}
}
}));

If these steps don't resolve the issue, you may need to check for any organization-wide policies or settings that could be overriding your configuration. Also, ensure that the IAM role attached to your EC2 instance has the necessary permissions to mount the EFS file system.
Sources
interface FileSystemProps · AWS CDK
class FileSystem (construct) · AWS CDK

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions