adam121 - Fotolia

What security features are available in AWS EFS?

Our enterprise is interested in storing EC2 instances in AWS Elastic File System. How does EFS protect and restrict access to data and resources?

Amazon Web Services released its Elastic File System to provide flexible storage for Amazon workloads, allowing storage capacity to grow or shrink as data is added or removed. Multiple workloads can also share EFS instances, providing common storage for applications.

Elastic File System (EFS) is designed for security -- minimizing the workloads and users who can access each EFS instance. For example, EFS restricts access to selected Elastic Compute Cloud (EC2) instances that reside in an Amazon Virtual Private Cloud (VPC).

A VPC allows users to define a logical network within the cloud where admins can deploy AWS resources like EC2 instances. IT teams can configure VPCs with user-selected IP addresses, subnets, routing tables and gateways to create a completely unique network that can be more difficult for attackers to find in the first place. It is possible to use VPCs to create public-facing networks that are isolated from critical back-end services. VPC security groups and network access control lists are also used to restrict network access to EFS instances.

Amazon EFS handles read, write and execute permissions down to the group and user levels; this can restrict access to specific directories or even individual files. The addition of AWS Identity and Access Management services ensures secure authentication for each user and connects users with authorized cloud resources.

Finally, AWS EFS is integrated with AWS CloudTrail, which provides detailed reports on API calls for the account made through the AWS Management Console, AWS Command Line Interface (CLI), AWS CloudFormation or AWS Software Development Kits. Log data includes details such as who called the API, call times, source IP addresses and so on. Log data can then be used to assess security, track changed resources and even help ensure compliance or audits in the cloud.

AWS EFS can be managed using a variety of platforms including the Web-based AWS Management Console, the AWS CLI and the Amazon EFS API. This allows developers to integrate EFS into software development. These management platforms allow administrators to create and delete EFS instances, configure access to the EFS instances, report details on AWS resources and manage security for users and groups.

The management method you choose depends on your particular preferences and workflow habits. For example, a business trying to automate or standardize EFS activities might prefer running scripts through the CLI, while software developers might opt to create unique tools using APIs. Each option will yield the same level of control and provide the same reporting.

Next Steps

Amazon Elastic File System roadmap details revealed

Do Amazon VPC benefits outweigh downsides?

AWS logging tools provide extra security

Dig Deeper on AWS security