More Info:

This rule checks if Amazon Elastic File System (Amazon EFS) access points are configured to enforce a user identity. It is marked as non-compliant if ‘PosixUser’ is not defined or if parameters are provided and there is no match in the corresponding parameter.

Risk Level

High

Address

Security

Compliance Standards

CBP,RBI_MD_ITF

Triage and Remediation

Remediation

To remediate the misconfiguration of EFS Access Points User Identity not being enforced in AWS Kubernetes using the AWS console, you can follow these step-by-step instructions:

  1. Login to AWS Console: Go to the AWS Management Console and login with your credentials.

  2. Navigate to Amazon EFS service: Click on “Services” in the top menu bar, search for “EFS” in the search bar, and click on “Amazon EFS” to open the EFS dashboard.

  3. Select the EFS File System: From the list of available EFS file systems, select the EFS file system for which you want to enforce user identity for access points.

  4. Create Access Points: If you haven’t already created an access point for the EFS file system, you will need to create one. Click on the “Access points” tab in the EFS dashboard, then click on the “Create access point” button.

  5. Configure Access Point: Fill in the necessary details for the access point, such as the name, root directory path, owner UID, owner GID, and POSIX permissions. Ensure that you specify the correct owner UID and owner GID to enforce user identity.

  6. Enable User Identity Enforcement: In the access point configuration, make sure to select the option to “Enforce user identity” to ensure that the user identity is enforced for the access point.

  7. Save Changes: Once you have configured the access point with the necessary details and enabled user identity enforcement, click on the “Create access point” button to save the changes.

  8. Update Kubernetes Configurations: Update your Kubernetes configurations to use the newly created EFS access point with user identity enforcement enabled. You may need to update your PersistentVolumeClaims (PVCs) and PersistentVolumes (PVs) to use the access point.

By following these steps, you can remediate the misconfiguration of EFS Access Points User Identity not being enforced in AWS Kubernetes using the AWS console.