For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-efs-with-vulnerable-policy.md. A documentation index is available at /llms.txt.

EFS with vulnerable policy

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-efs-with-vulnerable-policy

Provider: AWS

Platform: Terraform

Severity: Medium

Category: Access Control

Learn More

Description

AWS EFS file system policies should avoid the use of wildcards (*) in the Action and Principal fields, as shown below, because this grants broad permissions to all users and all actions:

"Principal": { "AWS": "*" },
"Action": ["elasticfilesystem:*"]

Such overly permissive policies can allow any AWS account to perform any action on the EFS resource, leading to potential unauthorized data access, deletion, or modification. To mitigate this risk, restrict the Principal to specific IAM identities and limit Action to only what is necessary. For example:

"Principal": { "AWS": "arn:aws:iam::111122223333:user/Carlos" },
"Action": ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"]

Compliant Code Examples

resource "aws_efs_file_system" "fs" {
  creation_token = "my-product"
}

resource "aws_efs_file_system_policy" "policy" {
  file_system_id = aws_efs_file_system.fs.id

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:user/Carlos"
            }
            "Resource": "aws_efs_file_system.test.arn",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}
POLICY
}

Non-Compliant Code Examples

provider "aws" {
  region = "us-east-1"
}

resource "aws_efs_file_system" "not_secure" {
  creation_token = "efs-not-secure"

  tags = {
    Name = "NotSecure"
  }
}

resource "aws_efs_file_system_policy" "not_secure_policy" {
  file_system_id = aws_efs_file_system.not_secure.id

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:*"
            ]
        }
    ]
}
POLICY
}

resource "aws_efs_file_system_policy" "multi_statement" {
  file_system_id = aws_efs_file_system.example.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SafeStatement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": ["elasticfilesystem:ClientRead"]
    },
    {
      "Sid": "VulnerableStatement",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["elasticfilesystem:*"]
    }
  ]
}
POLICY
}

resource "aws_efs_file_system_policy" "jsonencoded" {
  file_system_id = aws_efs_file_system.example.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid       = "JsonEncodedVulnerable"
        Effect    = "Allow"
        Principal = "*"
        Action    = ["elasticfilesystem:*"]
      }
    ]
  })
}