EFS security over site to site VPN from on-premises Linux server

Question

Hi,

I've setup an EFS instance and a Site to Site VPN from my on-premises site to AWS. I can successfully connect to EFS anonymously from my Ubuntu Linux VM. 
From a security perspective I'm using a security group and have restricted incoming ports and IPs from my on-premises site. I would like to know if I can restrict permissions to the EFS root and directories placed in EFS if I'm using an on-premises Linux server i.e. can IAM, File system policy and Access points apply to on-premises Linux servers or are can they only be used for EC2 instances?

Thanks,

Paddy

Answer

I believe the way you can do this from on-prem would be to use named profiles on your ON PREM Servers

You can mount with IAM authorization using the IAM credentials located in the AWS CLI credentials file ~/.aws/credentials, or the AWS CLI config file ~/.aws/config. If "awsprofile" is not specified, the "default" profile is used.

To mount with IAM authorization to a Linux instance using a credentials file, use the tls, awsprofile, and iam mount options, shown following.

`sudo mount -t efs -o tls,iam,awsprofile=namedprofile file-system-id efs-mount-point/`

To automatically mount with IAM authorization to a Linux instance using a credentials file, add the following line to the /etc/fstab file on the EC2 instance.

`file-system-id:/ efs-mount-point efs _netdev,tls,iam,awsprofile=namedprofile 0 0`

REF: https://docs.aws.amazon.com/efs/latest/ug/mounting-IAM-option.html

After that point your connected to EFS using IAM and therefore can apply file system policies: https://docs.aws.amazon.com/efs/latest/ug/iam-access-control-nfs-efs.html

You will of course need the amazon fs mounter and amazon-efs-utils also https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-helper-direct.html

EFS security over site to site VPN from on-premises Linux server

Relevant content