aws-efs: EFS does not contain the mount access policy by default

[samyak-jain]

Describe the bug

Creating an EFS filesystem using defaults currently creates an unusable filesystem because, by default, the elasticfilesystem:ClientMount action is not present in the access policy of the file system.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

elasticfilesystem:ClientMount should be present by default in the EFS access policy.

Current Behavior

elasticfilesystem:ClientMount does not exist in the EFS access policy without providing your custom policy.

Reproduction Steps

Any barebones example for ECS and EFS that does not use a custom policy will face this issue.

const vpc = new ec2.Vpc(this, "AppVPC", {});
const filesystem = new efs.FileSystem(this, "ApplicationEFS", {
  vpc,
});
const efsSecurityGroup = new ec2.SecurityGroup(this, "EfsSecurityGroup", {
  vpc,
  description: "Allow EFS access",
});

efsSecurityGroup.addIngressRule(
  ec2.Peer.anyIpv4(),
  ec2.Port.tcp(2049),
  "Allow NFS traffic"
);
const cluster = new ecs.Cluster(this, "ApplicationCluster", { vpc });
const taskDefinition = new ecs.FargateTaskDefinition(this, "TaskDef");
taskDefinition.addVolume({
  name: "efs-volume",
  efsVolumeConfiguration: {
    fileSystemId: fileSystem.fileSystemId,
    transitEncryption: "ENABLED",
  },
});

const container = taskDefinition.addContainer("AppContainer", {
  image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
});

container.addMountPoints({
  sourceVolume: "efs-volume",
  containerPath: "/mnt/efs",
  readOnly: false,
});
new ecs.FargateService(this, "MyService", {
  cluster,
  taskDefinition,
  desiredCount: 1,
  securityGroups: [efsSecurityGroup],
});

Possible Solution

This should be a 1 line change where we add mount to the default policy.

Additional Information/Context

No response

CDK CLI Version

2.1001.0 (build 130445d)

Framework Version

No response

Node.js Version

v20.18.3

OS

Arch Linux

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Hi,

After analyzing the code in packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts, I can see that we need to modify the access policy logic. In the FileSystem constructor where it creates the fileSystemPolicy, we need to modify the policy statement to include the ClientMount action when denying anonymous access.

aws-cdk/packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts

Lines 813 to 816 in d51f70a

	actions: [
	ClientAction.WRITE,
	ClientAction.ROOT_ACCESS,
	],

The key change is adding ClientAction.MOUNT to the actions array when creating the policy statement. This ensures that when anonymous access is not allowed, we explicitly handle the mount action in the policy.

[mazyu36]

I attempted to fix this issue, but I'm unsure whether it actually needs to be fixed.
The current policy is identical to the EFS managed 'Prevent anonymous access' policy in the Management Console.

This was implemented in PR #25486. The current policy appears to be created as intended.

What are your thoughts on this?

[aemada-aws]

potential duplicate of #27374