HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - EFS Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

EFS

Basic Information

Amazon Elastic File System (EFS) is presented as a fully managed, scalable, and elastic network file system by AWS. The service facilitates the creation and configuration of file systems that can be concurrently accessed by multiple EC2 instances and other AWS services. The key features of EFS include its ability to automatically scale without manual intervention, provision low-latency access, support high-throughput workloads, guarantee data durability, and seamlessly integrate with various AWS security mechanisms.

By default, the EFS folder to mount will be / but it could have a different name.

Network Access

An EFS is created in a VPC and would be by default accessible in all the VPC subnetworks. However, the EFS will have a Security Group. In order to give access to an EC2 (or any other AWS service) to mount the EFS, it’s needed to allow in the EFS security group an inbound NFS (2049 port) rule from the EC2 Security Group.

Without this, you won't be able to contact the NFS service.

For more information about how to do this check: https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount

Enumeration

# Get filesystems and access policies (if any)
aws efs describe-file-systems
aws efs describe-file-system-policy --file-system-id <id>

# Get subnetworks and IP addresses where you can find the file system
aws efs describe-mount-targets --file-system-id <id>
aws efs describe-mount-target-security-groups --mount-target-id <id>
aws ec2 describe-security-groups --group-ids <sg_id>

# Get other access points
aws efs describe-access-points

# Get replication configurations
aws efs describe-replication-configurations

# Search for NFS in EC2 networks
sudo nmap -T4 -Pn -p 2049 --open 10.10.10.0/20 # or /16 to be sure

It might be that the EFS mount point is inside the same VPC but in a different subnet. If you want to be sure you find all EFS points it would be better to scan the /16 netmask.

Mount EFS

sudo mkdir /efs

## Mount found
sudo apt install nfs-common
sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <IP>:/ /efs

## Mount with efs type
## You need to have installed the package amazon-efs-utils
sudo yum install amazon-efs-utils # If centos
sudo apt-get install amazon-efs-utils # If ubuntu
sudo mount -t efs <file-system-id/EFS DNS name>:/ /efs/

IAM Access

By default anyone with network access to the EFS will be able to mount, read and write it even as root user. However, File System policies could be in place only allowing principals with specific permissions to access it. For example, this File System policy won't allow even to mount the file system if you don't have the IAM permission:

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797",
    "Statement": [
        {
            "Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "",
            "Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018",
            "Condition": {
                "Bool": {
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        }
    ]
}

Or this will prevent anonymous access:

Note that to mount file systems protected by IAM you MUST use the type "efs" in the mount command:

sudo mkdir /efs
sudo mount -t efs -o tls,iam  <file-system-id/EFS DNS name>:/ /efs/
# To use a different pforile from ~/.aws/credentials
# You can use: -o tls,iam,awsprofile=namedprofile

Access Points

Access points are application-specific entry points into an EFS file system that make it easier to manage application access to shared datasets.

When you create an access point, you can specify the owner and POSIX permissions for the files and directories created through the access point. You can also define a custom root directory for the access point, either by specifying an existing directory or by creating a new one with the desired permissions. This allows you to control access to your EFS file system on a per-application or per-user basis, making it easier to manage and secure your shared file data.

You can mount the File System from an access point with something like:

# Use IAM if you need to use iam permissions
sudo mount -t efs -o tls,[iam],accesspoint=<access-point-id> \
    <file-system-id/EFS DNS> /efs/

Note that even trying to mount an access point you still need to be able to contact the NFS service via network, and if the EFS has a file system policy, you need enough IAM permissions to mount it.

Access points can be used for the following purposes:

  • Simplify permissions management: By defining a POSIX user and group for each access point, you can easily manage access permissions for different applications or users without modifying the underlying file system's permissions.

  • Enforce a root directory: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification.

  • Easier file system access: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications.

Privesc

pageAWS - EFS Privesc

Post Exploitation

pageAWS - EFS Post Exploitation

Persistence

pageAWS - EFS Persistence
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - EMR EnumNextAWS - Kinesis Data Firehose Enum

Last updated