When is the EFS policy condition elasticfilesystem:AccessedViaMountTarget false? Can an EFS volume be accessed without a mount target?

Question

I've been looking into EFS file system policies, and still haven't understood what kind of access would be blocked in this policy:

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55",
    "Statement": [
        {
            "Sid": "efs-statement-14a7191c-9401-40e7-a388-6af6cfb7dd9c",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ],
            "Condition": {
                "Bool": {
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        }
    ]
}

But not in this one (without the condition):

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-15ad9567-2546-4bbb-8168-5541b6fc0e55",
    "Statement": [
        {
            "Sid": "efs-statement-14a7191c-9401-40e7-a388-6af6cfb7dd9c",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess"
            ]
        }
    ]
}

As I understand it, mount targets are what gives your EFS volume an IP for you to access it. Is it possible to have an access that is not via a mount target?

Answer 1

Repeating my answer to another question on this here:

AWS Transfer Family is capable of accessing EFS filesystems directly, without going through a mount target. AWS Transfer Family is a service that allows you to expose your EFS filesystem (or S3 bucket) through SSH, FTP or others, publicly or not, and even in other accounts. You can read more about it in the docs.

This could be a big security problem - previously, all accesses were through mount target, which were endpoints inside your VPC. You could have a policy allowing any access to your EFS filesystem, and it would still be contained to your VPC, but now no more. The addition of EFS support to Transfer Family creates the possibility of that being exploited for accessing filesystems with policies that are not restrictive enough.

Because of this, AWS disables use of EFS with Transfer Family for any accounts containing exploitable policies, as described here:

Note

Using Transfer Family with Amazon EFS is disabled by default for AWS accounts that have EFS file systems with policies that allow public access that were created before January 6, 2021. To enable using Transfer Family to access your file system, contact AWS Support.

Do note that Janury 6, 2021 is the day before the announcement of AWS Transfer Family adding support for EFS.

So this also explains what "allows public access" really means: it means your EFS filesystem has a policy that could be exploited by an attacker in a different account to mount your filesystem through AWS Transfer Family. To avoid this problem, any EFS that "allows public access" (i.e. is exploitable in this way) is blocked from being used by AWS Transfer Family. If you really want to use it that way, you have to be explicit in adding a elasticfilesystem:AccessedViaMountTarget: false.

TLDR

AWS Transfer Family can be used to access EFS without a mount target, and the AWS Transfer Family concept of "allowing public access" is actually a way to avoid this being exploited, requiring you be explicit if you want to allow EFS to be accessed through AWS Transfer Family.

Answer 2

The second policy is considered a public access policy for the EFS. The meaning of "public" is different then, for example, in a public s3 buckets.

From what I understand, for the end user there is no difference between public and non-public. The only difference seems to be related to internal systems that AWS uses. Namely for AWS Transfer Family. From docs:

When you use Amazon EFS with AWS Transfer Family, file system access requests received from a Transfer Family server that is owned by a different account than the file system are blocked if the file system allows public access.

Since the second policy is considered a public, AWS Transfer Family will not work with EFS. Thus you have to ensure that your filesystem is non-public.