🛡️ AWS EFS Mount Target is in a subnet that assigns public IP addresses on launch🟢

• Contextual name: 🛡️ Mount Target is in a subnet that assigns public IP addresses on launch🟢
• ID: /ce/ca/aws/efs/mount-target-public-ip
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EFS Mount Target
  • 🔌 AWS VPC Subnet - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch

Description

Open File

Description

This policy identifies AWS EFS Mount Targets that are deployed in subnets where the Map Public IP On Launch setting is enabled. EFS file systems are designed to be accessed from within a VPC or through private connectivity options such as VPN or AWS Direct Connect, and do not require exposure to the public internet.

Rationale

Deploying EFS mount targets in subnets configured for public-facing resources can unnecessarily increase the attack surface of the storage environment. While EFS mount targets do not receive public IP addresses directly, they rely on ENI that inherit the network characteristics of the associated subnet. A subnet with automatic public IP assignment typically indicates intent for internet-facing workloads.

Maintaining strict network segmentation by placing storage resources in private subnets helps ensure proper isolation, reduces the risk of unintended exposure, and aligns with security best practices for protecting sensitive data.

Audit

This policy flags an AWS EFS Mount Target as INCOMPLIANT if the associated Subnet has Map Public IP On Launch set to true.

Remediation

Open File

Remediation

Recreate the EFS Mount Target in a Private Subnet

AWS EFS mount targets cannot be moved between subnets. Create a new mount target in a subnet where Map Public IP On Launch is disabled, and then delete the existing mount target.

1. Create a new mount target in a private subnet

From AWS CLI

aws efs create-mount-target \
    --file-system-id {{file-system-id}} \
    --subnet-id {{private-subnet-id}} \
    --security-groups {{security-group-id}} \
    --region {{aws-region}}

Note: Ensure the selected subnet does not auto-assign public IP addresses.

2. Verify the new mount target

Confirm that the new mount target is in the available state before proceeding:

aws efs describe-mount-targets \
    --file-system-id {{file-system-id}} \
    --region {{aws-region}}

Verify application connectivity to the EFS file system

3. Delete the existing mount target in the public subnet

After verification, remove the old mount target:

aws efs delete-mount-target \
    --mount-target-id {{old-mount-target-id}} \

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EFS.6] EFS mount targets should not be associated with a public subnet			1		no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			110		no data