AWS - EFS Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Amazon Elastic File System (EFS) is presented as a fully managed, scalable, and elastic network file system by AWS. The service facilitates the creation and configuration of file systems that can be concurrently accessed by multiple EC2 instances and other AWS services. The key features of EFS include its ability to automatically scale without manual intervention, provision low-latency access, support high-throughput workloads, guarantee data durability, and seamlessly integrate with various AWS security mechanisms.
By default, the EFS folder to mount will be /
but it could have a different name.
An EFS is created in a VPC and would be by default accessible in all the VPC subnetworks. However, the EFS will have a Security Group. In order to give access to an EC2 (or any other AWS service) to mount the EFS, it’s needed to allow in the EFS security group an inbound NFS (2049 port) rule from the EC2 Security Group.
Without this, you won't be able to contact the NFS service.
For more information about how to do this check: https://stackoverflow.com/questions/38632222/aws-efs-connection-timeout-at-mount
It might be that the EFS mount point is inside the same VPC but in a different subnet. If you want to be sure you find all EFS points it would be better to scan the /16
netmask.
By default anyone with network access to the EFS will be able to mount, read and write it even as root user. However, File System policies could be in place only allowing principals with specific permissions to access it. For example, this File System policy won't allow even to mount the file system if you don't have the IAM permission:
Or this will prevent anonymous access:
Note that to mount file systems protected by IAM you MUST use the type "efs" in the mount command:
Access points are application-specific entry points into an EFS file system that make it easier to manage application access to shared datasets.
When you create an access point, you can specify the owner and POSIX permissions for the files and directories created through the access point. You can also define a custom root directory for the access point, either by specifying an existing directory or by creating a new one with the desired permissions. This allows you to control access to your EFS file system on a per-application or per-user basis, making it easier to manage and secure your shared file data.
You can mount the File System from an access point with something like:
Note that even trying to mount an access point you still need to be able to contact the NFS service via network, and if the EFS has a file system policy, you need enough IAM permissions to mount it.
Access points can be used for the following purposes:
Simplify permissions management: By defining a POSIX user and group for each access point, you can easily manage access permissions for different applications or users without modifying the underlying file system's permissions.
Enforce a root directory: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification.
Easier file system access: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)