AWS Storage Blog

Using available Amazon EFS security features while migrating files with AWS DataSync

When performing an online data migration, an important requirement is often security in transit. When evaluating migration options, you should consider if the tools available can provide encryption of data in flight, to help prevent unauthorized users from reading your data.

Amazon Elastic File System (EFS) provides the ability to encrypt data in transit by enabling Transport Layer Security (TLS), and allows you to control client access with file system policies. Amazon EFS also provides the ability to create access points that allow for application-specific entry into an EFS file system. Performing an online migration with AWS DataSync provides the flexibility of integrating directly with the various security features Amazon EFS provides.

In this post, I walk through performing data migrations with an Amazon EFS location using AWS DataSync and a combination of available EFS security features, including TLS encryption, file system policies and access points. These security features can help secure data in flight and control client access to your Amazon EFS file system, allowing you to configure migration options that meet your security and compliance requirements.

In the following sections, I review the available options for configuring EFS security features with DataSync. I first review how to encrypt data in transit and enforce encryption in transit with EFS file system policies. I then review how to configure AWS DataSync with file system policies as well as EFS access points.

  1. Encrypting data in transit to EFS file systems.
  2. Using an Amazon EFS file system policy to enforce in-transit encryption.
  3. Using a file system policy with IAM roles to control data access with DataSync.
  4. Targeting an EFS access point with AWS DataSync.

Encrypting data in transit to Amazon EFS file systems

Encryption in transit using TLS is automatically enabled when clients use the Amazon EFS mount helper to mount file systems. Alternately, you can configure stunnel manually. When configuring an EFS location for DataSync, you can simply specify TLS 1.2 for in-transit encryption in the AWS Management Console, CLI, or API. While DataSync encrypts traffic from the agent to the service, it enables TLS as part of the DataSync-EFS location and verifies that the traffic is also encrypted from the DataSync service to your selected Amazon EFS file system.

Figure 1 shows enabling Amazon EFS In-transit encryption as part of a DataSync EFS location from the DataSync console.

Figure 1: Enabling Amazon EFS In-transit encryption as part of a DataSync EFS location from the DataSync console.

Now I’ve provided some background on using encryption with TLS when mounting clients, and on creating a DataSync task with an Amazon EFS location, how can you know that your Amazon EFS file system is enforcing encryption in transit?

Using an Amazon EFS file system policy to enforce in-transit encryption with DataSync

You can control client access to Amazon EFS resources by creating file system policies. Initially, Amazon EFS uses a default file system policy that grants full access to a client that can connect to the file system via a mounted target. Amazon EFS provides several preconfigured system policies that you can set through the AWS Management Console by editing the file system policy.

Selecting the policy option Enforce in-transit encryption for all clients on your Amazon EFS file system policy creates a Deny rule for clients that are not mounting with the TLS option. This pre-configured policy example is as follows:

"Statement": [
    {
        "Sid": "efs-statement-cc23a549-ea69-4369-83c1-7b3570c5a88b",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": [
            "elasticfilesystem:ClientRootAccess",
            "elasticfilesystem:ClientWrite",
            "elasticfilesystem:ClientMount"
        ],
        "Resource": "arn:aws:elasticfilesystem:REGION:ACCOUNTID:file-system/fs-ID",
        "Condition": {
            "Bool": {
                "elasticfilesystem:AccessedViaMountTarget": "true"
            }
        }
    },
    {
        "Sid": "efs-statement-576115f9-526f-4d6c-8210-8f863b7b905a",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        },
        "Action": "*",
        "Resource": "arn:aws:elasticfilesystem:REGION:ACCOUNTID:file-system/fs-ID",
        "Condition": {
            "Bool": {
                "aws:SecureTransport": "false"
            }
        }
    }
]

Now that an Amazon EFS file system policy is configured to accept only TLS encrypted traffic, you can verify the file system denies unencrypted clients. You can attempt to execute a DataSync task targeting the Amazon EFS file system without selecting the TLS option for the EFS location. This results with a failed task and a mount.nfs: Connection timed out error. In addition, a client that attempts to mount without TLS would get an access denied error. Executing a DataSync task using in-transit encryption with an Amazon EFS location succeeds with the file system policy in place.

Using an Amazon EFS file system policy with IAM roles to control data access with DataSync

You can use an AWS Identity and Access Management (IAM) role within a file system resource policy to control client access to Amazon EFS resources. When using an IAM role and file system resource policies, you can configure permissions in either the IAM roles policy or the file system resource policy. Permissions don’t need to be granted in both the IAM role and resource policy simultaneously. Clients can then mount the file system with IAM authorization using an instance profile.

You can configure DataSync to use an IAM role configured with access to the file system as part of the DataSync-EFS location. This allows you to continue to use file system policies to provide granular levels of permissions during a data migration using DataSync with an Amazon EFS location. The first step is to create a role in IAM and add a trusted entity type that allows the DataSync service principal to assume the role:

  1. Open the AWS IAM console.
  2. In the left navigation pane, under Access management, choose Roles, and then choose Create role.
  3. On the Select trusted entity page, for Trusted entity type, choose Custom trust policy.
  4. Paste the following JSON into the policy editor:
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Service": "datasync.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }]
}

The IAM role doesn’t explicitly require policy permissions because the role will only be used for identity as part of the Amazon EFS file system policy.

You can now create a AWS DataSync-EFS location and specify the created IAM role. When using an IAM role with a DataSync-EFS location, you must also use in-transit encryption.

Figure 2 shows selecting an IAM role as part of a DataSync EFS location from the DataSync console.

Figure 2: Selecting an IAM role as part of a DataSync EFS location from the DataSync console.

With the IAM role and AWS DataSync task configured to assume the role, you can now provide the IAM role access within the Amazon EFS file system policy. DataSync mounts Amazon EFS as a root user, so the policy must include the action elasticfilesystem:ClientRootAccess. This is an example file system policy that allows DataSync to migrate data to an Amazon EFS destination specifying the created IAM role as a principal. The action elasticfilesystem:ClientWrite is provided so you can migrate data to an Amazon EFS destination location. You can omit the elasticfilesystem:ClientWrite to provide DataSync read only access if your Amazon EFS location is the source.

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-555d88c0-2b2c-4e32-8075-670a7d8e881f",
    "Statement": [
        {
            "Sid": "efs-statement-f34b4937-a871-4aa2-88a2-ac47c09d7079",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNTID:role/datasync-efs-iam-role"
                ]
            },
            "Action": [
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientMount"
            ],
            "Resource": "arn:aws:elasticfilesystem:REGION:ACCOUNTID:file-system/fs-ID",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}

Targeting an EFS access point with AWS DataSync

Amazon EFS access points allow you to create specific entry points into an Amazon EFS file system to manage application access and shared datasets while providing the ability to enforce user identity and override the root directory for a file system. DataSync specifies an access point as part of the DataSync EFS location. Specifying an Amazon EFS access point requires enabling in-transit encryption and you can optionally specify an IAM role to use along with Amazon  EFS file system policies as described in the last section.

Figure 3 shows selecting an Amazon EFS access point as part of a DataSync EFS location from the DataSync console.

Figure 3: Selecting an Amazon EFS access point as part of a DataSync EFS location from the DataSync console.

When targeting an Amazon EFS access point with an IAM role as a DataSync location, you can configure your Amazon  EFS file system policy to allow DataSync access to the specific access point with the DataSync IAM role as a principal. This is an example file system policy that allows DataSync to migrate data to an Amazon EFS destination access point while specifying the created IAM role as a principal. The condition statement requires TLS to be enabled and must match the provided access point string.

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-555d88c0-2b2c-4e32-8075-670a7d8e881f",
    "Statement": [
        {
            "Sid": "efs-statement-f34b4937-a871-4aa2-88a2-ac47c09d7079",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::ACCOUNTID:role/datasync-efs-iam-role"

                ]
            },
            "Action": [
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientMount"
            ],
            "Resource": "arn:aws:elasticfilesystem:REGION:ACCOUNTID:file-system/fs-ID",
            "Condition": {
                "StringEquals": {
                    "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:REGION:ACCOUNTID:file-system/fs-ID/fsap-ID"
                },
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}

With the following Amazon EFS policy established, you can now execute your DataSync tasks to a specific access point while keeping your Amazon EFS file system policies in place.

Cleaning up

If you created any Amazon EFS file systems or added file system policies while walking through this blog, be sure to remove any files system policies and delete Amazon EFS file systems that may have been used for testing purposes.

Conclusion

In this post, I talked about various ways you can use existing Amazon EFS security features while migrating your data with AWS DataSync. Specifically, I covered how to mount Amazon EFS, with in-transit encryption configured, as a DataSync location. I also highlighted encryption with a preconfigured Amazon EFS file system policy.

I established the basics of using in-transit encryption and outlined how to create an IAM role configured with DataSync as a trusted entity, which can be specified as a principal in Amazon EFS file system policies. Specifying an IAM policy adds flexibility while providing DataSync specific permissions to your Amazon EFS file system and allows DataSync the ability to integrate with existing policies. Lastly, I walked through how to securely configure DataSync to target specific Amazon EFS access points as part of your data migration providing you multiple options on how to secure your online data migration.

These methods allow you to utilize various security options for your data migrations with AWS DataSync and Amazon EFS, giving you the control you need to secure your data and meet the needs of your environment.

AWS DataSync and Amazon EFS provide a variety of options to simply and securely perform your data migrations, which you can start implementing today.