Amazon has updated its elastic file system (EFS) with new access management and security features in a bid to make creating “scalable architectures sharing data and configurations” easier.
Customers can now setup file system policies when creating or updating EFS systems. They are realised via identity and access management (IAM) resource policies and are applied to all NFS clients connecting to a file system.
During the setup process, users can choose whether root access should be disabled by default, if read-only access should be enforced as a standard, and if in-transit encryption needs to be a must for all clients. Policies are created in JSON format and can be altered to fit more complex scenarios and for example give certain accounts or IAM roles more privileges.
Every time an IAM permission is checked, the AWS CloudTrail console logs an appropriate event, making the process auditable.
The second new feature, access points, pursue a similar purpose, offering admins more control when allowing applications file system access. Access points let them specify which POSIX user and group to use for a connection, which can be used to restrict access to selected directories only.
The new addition is especially highlighted as a way of securing container-based environments, and data science projects that shouldn’t be allowed to write to production data. The latter can be implemented in combination with IAM authentication for example, thus rounding up the update.
EFS is available in all AWS regions except Osaka, which has a special local region status, and Beijing and Ningxia, which are operated by local providers. Additional information can be found in Amazon EFS’ documentation.