I have an EFS resource that I'm making available to EC2 instances as read-only by using the default EFS 'read-only' policy, as below,
{
"Version": "2012-10-17",
"Id": "efs-policy-wizard-bafc47e7-8fbd-4d77-8915-c9bbe646f704",
"Statement": [
{
"Sid": "efs-statement-67d772b9-e439-4280-a895-64135dfd4322",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientMount"
],
"Resource": "arn:aws:elasticfilesystem:<value>:file-system/fs-<value>",
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
}
]
}
I would like to allow VPN client users to mount the EFS and have write access as well, but I can't figure out a method for adding a statement to this policy that enables this.
As a starting point, adding the following of course works, but it allows write access for everything which is of course not what I'm after,
{
"Sid": "Allow write access for VPN users",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "elasticfilesystem:ClientWrite",
"Resource": "arn:aws:elasticfilesystem:<value>:file-system/fs-<value>",
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
}
I've tried a couple methods to restrict this write statement to just VPN users,
- Modify the AWS Principal with various ARNs related to my VPN endpoint.
- Add an 'IpAddress' condition with the key 'aws:VpcSourceIp' that is my VPN client CIDR block as well as just the IP of my client.
Neither approach works; I can only mount the NFS system with read-only access when using either approach.
Is there a way to modify the write statement above that limits it to VPN client users? Or is there another approach I should use instead of amending the default read-only policy?
Much thanks.