Walkthrough: Enable root squashing using IAM authorization for NFS clients
In this walkthrough, you configure Amazon EFS to prevent root access to your Amazon EFS file system for all Amazon principals except for a single management workstation. You do this by configuring Amazon Identity and Access Management (IAM) authorization for Network File System (NFS) clients. For more information about IAM authorization for NFS clients in EFS, see Using IAM to control file system data access.
To do this requires configuring two IAM permissions policies, as follows:
-
Create an EFS file system policy that explicitly allows read and write access to the file system, and implicitly denies root access.
-
Assign an IAM identity to the Amazon EC2 management workstation that requires root access to the file system by using an Amazon EC2 instance profile. For more information about Amazon EC2 instance profiles, see Using Instance Profiles in the Amazon Identity and Access Management User Guide.
-
Assign the
AmazonElasticFileSystemClientFullAccessAmazon managed policy to the IAM role of the management workstation. For more information about Amazon managed policies for EFS, see Identity and access management for Amazon Elastic File System.
To enable root squashing using IAM authorization for NFS clients, use the following procedures.
To prevent root access to the file system
Open the Amazon Elastic File System console at https://console.amazonaws.cn/efs/
. Choose Filesystems.
On the File systems page, choose the file system that you want to enable root squashing on.
-
On the file system details page, choose File system policy, and then choose Edit. The File system policy page appears.
-
Choose Prevent root access by default* under Policy options. The policy JSON object appears in the Policy editor.
Choose Save to save the file system policy.
Clients that aren't anonymous can get root access to the file system through an
identity-based policy. When you attach the AmazonElasticFileSystemClientFullAccess
managed policy to the workstation's role, IAM grants root access to the workstation based
on its identity policy.
To enable root access from the management workstation
Open the IAM console at https://console.amazonaws.cn/iam/
. Create a role for Amazon EC2 called
EFS-client-root-access. IAM creates an instance profile with the same name as the EC2 role you created.Assign the Amazon managed policy
AmazonElasticFileSystemClientFullAccessto the EC2 role you created. The contents of this policy is shown following.{ "Version”: "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientRootAccess", "elasticfilesystem:ClientWrite", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" } ] }Attach the instance profile to the EC2 instance that you are using as the management workstation, as described following. For more information, see Attaching an IAM Role to an Instance in the Amazon EC2 User Guide for Linux Instances.
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. In the navigation pane, choose Instances.
Choose the instance. For Actions, choose Instance Settings, and then choose Attach/Replace IAM role.
Choose the IAM role that you created in the first step,
EFS-client-root-access, and choose Apply.
Install the EFS mount helper on the management workstation. For more information about the EFS mount helper and the amazon-efs-utils package, see Using the amazon-efs-utils tools.
Mount the EFS file system on the management workstation by using the following command with the
iammount option.$sudo mount -t efs -o tls,iamfile-system-id:/efs-mount-pointYou can configure the Amazon EC2 instance to automatically mount the file system with IAM authorization. For more information about mounting an EFS file system with IAM authorization, see Mounting with IAM authorization.